Apple Patches Bug Exposing Deleted Chat Messages via Logged Notifications
Published
Key Takeaways
- Security vulnerability: An Apple bug fix addresses a flaw where deleted chat messages remained in the notification database.
- Forensic extraction: Law enforcement agencies exploited this vulnerability to bypass Signal's privacy and read automatically-deleted conversations.
- Software patch: The recent iPhone security update resolves the issue across devices, including older models running iOS 18.
Apple has released an iPhone and iPads security update that addresses a significant architectural flaw in how the iOS notification database processes data from encrypted messaging applications.
The core of the security issue resided in the device's local notification system, which could unexpectedly retain notifications marked for deletion. This vulnerability could allow the forensic extraction of deleted chat messages.
Notification Database Vulnerability
The CVE-2026-28950 iOS and iPadOS logging issue concerned secure applications, such as Signal or WhatsApp, that were configured to automatically erase communications. The notifications originally displaying the content of those deleted chat messages were unexpectedly retained in the device cache.
According to security reports, these notifications lingered in the system database for up to a month. This unauthorized data retention inadvertently circumvented intended data destruction protocols, severely undermining secure apps’ privacy and standard end-to-end encryption guarantees.
Earlier this month, 404 Media reported that the FBI successfully utilized specialized forensic extraction tools to recover retained Signal notifications from a seized iPhone. Following the public disclosure of this forensic methodology, Signal president Meredith Whittaker publicly urged Apple to rectify the operating system's notification retention behavior via a post on Bluesky.
Software Patch
The latest Apple bug fix (iOS 26.4.2 and iPadOS 26.4.2) ensures that notifications explicitly marked for deletion by encrypted applications are permanently erased from the OS database. To maximize endpoint security, the company has also backported this essential patch to devices running the older iOS 18 architecture.
Users prioritizing operational security should immediately install the latest iPhone security update to verify their deleted communications remain permanently inaccessible to unauthorized forensic analysis.
Last month, Russian cybercriminals targeted the Signal and WhatsApp accounts of high-value individuals in a large-scale phishing operation. Also, a DarkSword iPhone exploit kit version leaked on GitHub, and an executive at US Contractor Trenchant was reportedly linked to the global iPhone hacking toolkit Coruna.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular