New Delhi: Apple has released an urgent software update to fix a serious iOS and iPadOS vulnerability that could allow deleted Signal messages to be recovered. The bug, now patched, was an issue of privacy of the users; it was reported that despite the removal of the app, the forensic tools could still retrieve the data in the messages.
The bug was related to the management of the notifications on the iPhones and iPad. Apple reported that some of these notifications that were set to be deleted were still stored on devices. This implied that sensitive content of messages might stay alive under certain circumstances such as physical access to the gadget.
What was the iOS notification flaw?
This vulnerability, which was identified as CVE-2026-28950, was a logging problem in the notification services system of Apple. The bug led to deleted messages being stored inadvertently on the device, rather than being erased.
Apple wrote in its official release that deletion notifications might be stored on the phone accidentally. The company also noted that the problem has been addressed now and better data redaction methods have been implemented.
How the FBI recovered deleted Signal messages
The seriousness of the bug surfaced when a report by 404 media indicated that the Federal Bureau of Investigation (FBI) could get Signal communications off the iPhone of a suspect.
The case was associated with an intrusion in a detention facility, where the researchers allegedly had access to copies of messages sent to incoming via the device in a storage of the push notification database. This occurred despite the deletion of the Signal app.
Experts say this highlights a key risk: even encrypted applications can leave a footprint in the form of system-level notifications unless treated with appropriate care.
Which devices were affected?
Apple acknowledged that the defect affected a large number of products, which include the following:
- iPhone 11 and beyond.
- Several iPad Pro, iPad Air, iPad Mini, and regular iPad models
This problem has been fixed in:
- iOS 26.4.2 and iPadOS 26.4.2
- iOS 18.7.8 and iPadOS 18.7.8 (for older supported devices)
It is highly recommended that users update their devices as soon as possible in order to protect themselves.
Why this matters for your privacy
Privacy experts caution that sensitive information may accidentally be revealed by notification systems. The Electronic Frontier Foundation (EFF) observed that users typically do not have much insight into metadata that is collected about them or the manner in which it is notified.
The organisation also indicated that a lot of notifications could be unencrypted, which could be a vulnerability to an otherwise secure communication system.
What Signal and Apple said
Signal explained that there is no user action that should be undertaken except updating the device. The company posted a statement on X, indicating that the patch will automatically delete any notifications it had previously stored and will not store future notifications.
Signal also recognised the response of Apple, that timely intervention was essential in alleviating the privacy threat.
How to protect your messages
Although the problem has been resolved, users can follow some additional safety measures:
- Switch-off preview messages in the notification.
- Turn to signal settings and either choose name only or no name or message.
- Never save confidential information in notifications.
This event shows that even minor issues on a system level may pose significant privacy threats. Although the encryption of messages within applications such as Signal can be used to secure information, data leaks may occur due to other operating system functionalities such as notifications.
Apple has bridged this gap with the latest update. Yet the incident acts as a wake-up call: one of the easiest and most efficient solutions to safeguard your data is to make sure your device is up to date.