iOS 26.4.2 Patches Flaw That Let FBI Extract Deleted Signal Messages

[MacRumors]

The iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 updates that Apple released today address a security vulnerability that the FBI recently used to extract Signal message previews from an iPhone even after the app was deleted.

A flaw with notification services allowed notifications that were supposed to be deleted to be retained on an iPhone or iPad. Apple says it fixed the logging issue with improved data redaction.

Apple became aware of the vulnerability after recent court testimony revealed that the FBI was able to access the internal notification database on an iPhone involved in a case, providing law enforcement with access to message previews. The iPhone in question was set to display the content of Signal messages on the Lock Screen, and with that feature enabled, the iPhone stores message content.

The defendant in the case had deleted the Signal app and had Signal messages set to disappear, but the iPhone kept the messages in its database long enough for the FBI to access them.

Apple users running iOS 26, iPadOS 26, iOS 18, or iPadOS 18 should update to the latest versions to avoid being impacted by the security flaw.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: iOS 26.4.2 Patches Flaw That Let FBI Extract Deleted Signal Messages

 

[Astuces iOS]

Bang bang bang, FBI OPEN UP

Damn FBI should not have access to anything !

 

[goonie4life9]

This truly is the purest vision of iOS 26 that Apple has ever released! This truly is the version of iOS 26 for ultra pros!

But seriously, this is a good patch by Apple.

 

[mikes63737]

I hope this incident prompts Apple to take a serious look at other gaps in their privacy model. There are so many cases where they over promise and under deliver. Intent doesn't matter if there are gaping holes like this one.

 

[tyranne201]

updating right away

 

[Non-Euclidean]

Updating to spite FBI even though I don't use Signal.

 

[I7guy]

So I don’t display messages in the lock screen, but this sounds like it’s a signal issue? And why wasn’t the database encrypted?

I hope this incident prompts 3rd party apps to really take a look at their privacy model.

 

[Radeon85]

Good to see Apple patching this one quickly, so no one else can make use of it, bloody law.

 

[63W]

Ahh yes, once again Apple protecting criminals.

 

[btrach144]

I hope this incident prompts Apple to take a serious look at other gaps in their privacy model. There are so many cases where they over promise and under deliver. Intent doesn't matter if there are gaping holes like this one.

The next couple of years will be wild. With AI easily able to detect holes, I predict a lot of updates for all software in the coming years.

 

[Nermal]

Ahh yes, once again Apple protecting criminals.

And everyone else.

 

[NightFox]

So I don’t display messages in the lock screen, but this sounds like it’s a signal issue? And why wasn’t the database encrypted?

I hope this incident prompts 3rd party apps to really take a look at their privacy model.

It's not really a Signal issue from what I understand. App notifications work by the app passing the text message to be displayed to iOS which handles the notification message. It can't pass it as encrypted as iOS wouldn't be able to decrypt it to display it. Apps can't serve their own native notifications.

 

[HouseLannister]

Apple only became aware of this issue due to the FBI taking advantage of it? Kind of like how Apple only found out WebKit had giant security holes because of active exploits? Shouldn't they have people testing for these kinds of things? Not enough focus on security for my taste. Developers and researchers say Apple never pays out for bug bounties and their own talent isn't catching this stuff, so I feel they are always on the back of their foot with this stuff. Maybe they can use Claude Mythos to find the vulnerabilities before the hackers or the feds do in the future?

 

[Techwatcher]

Ahh yes, once again Apple protecting criminals.

If I say what’s really on my mind I’m gonna be suspended for a decade so I’ll behave.

 

[archvile]

So I don’t display messages in the lock screen, but this sounds like it’s a signal issue? And why wasn’t the database encrypted?

I hope this incident prompts 3rd party apps to really take a look at their privacy model.

Either A) there was no passcode on the phone (user data is not encrypted, and this is unlikely), or B) the feds obtained the passcode to the phone.

It sounds like Apple just changed the amount time the notification service keeps message data, so instead of whatever it was maybe a year, it now may only retain it for a week. Who knows. But either way it, from the sound of the patch notes, still functions the same way with just a shorter retention period.

And it may not be signal specific, that just may have been the only app the guy was using to communicate. I would assume probably searched the database for other apps info and didn’t find any. And Signal gets called out because it’s supposed to be one of the most private and secure systems. I wonder if some similar exploit exists for Android since they have a notification history function as well.

 

[I7guy]

It's not really a Signal issue from what I understand. App notifications work by the app passing the text message to be displayed to iOS which handles the notification message. It can't pass it as encrypted as iOS wouldn't be able to decrypt it to display it. Apps can't serve their own native notifications.

Why was only signal affected? What about other apps? So if notifications are off for signal this issue dissolves into nothing?

 

[flowsy]

Why was only signal affected? What about other apps? So if notifications are off for signal this issue dissolves into nothing?

It wasn't just the Signal app that was affected, but the related court case brought the whole thing to light. It's an iOS "bug".

 

[coolfactor]

So I don’t display messages in the lock screen, but this sounds like it’s a signal issue? And why wasn’t the database encrypted?

I hope this incident prompts 3rd party apps to really take a look at their privacy model.

No, Signal was using OS-provided Notification APIs, which had the flaw. This would affect all apps, and is a notable "uh-oh" moment for Apple. They failed to catch this during testing of how closely iOS adheres to their promise of privacy.

 

[63W]

The next couple of years will be wild. With AI easily able to detect holes, I predict a lot of updates for all software in the coming years.

And AI will be used to patch the holes. It will be a cat and mouse game.

 

[63W]

If I say what’s really on my mind I’m gonna be suspended for a decade so I’ll behave.

Please do say it, with a cherry on top.

 

[coolfactor]

Ahh yes, once again Apple protecting criminals.

That's a puzzling way to view this. Apple promises that their platform is secure. iPhone was just recently certified for US government (?) usage, and yet here was an oversight in the design that exposed potentially private data.

Yes, fixing this may protect criminals, but fixing it aligns the platform with their promise, which benefits all users.

 

[CarAnalogy]

Improved redaction sounds like they no longer store the actual message preview content in the log anymore. I wonder if this may have affected more than just Signal, and hopefully it's fixed for everyone and not just a patch specifically for Signal.

 

[63W]

That's a puzzling way to view this. Apple promises that their platform is secure. iPhone was just recently certified for US government (?) usage, and yet here was an oversight in the design that exposed potentially private data.

Yes, fixing this may protect criminals, but fixing it aligns the platform with their promise, which benefits all users.

People who don't commit crime, don't need protection from FBI or from anyone.

 

[CarAnalogy]

That's a puzzling way to view this. Apple promises that their platform is secure. iPhone was just recently certified for US government (?) usage, and yet here was an oversight in the design that exposed potentially private data.

Yes, fixing this may protect criminals, but fixing it aligns the platform with their promise, which benefits all users.

It's been certified for US government, NASA, Germany, EU, etc.

It's the Windows of the smartphone world in the sense of "what else are you going to use?" and that though it may not be perfect, it's hammered on by everyone constantly (just like this) so it's about as secure as we're going to get when configured properly.

This specific bug would have been a non-issue had the person disabled notification previews which the truly paranoid would do, but it's good they're fixing it.

 

[Alpha Centauri]

I do use Signal, certainly don't have my messages displayed on the Lock Screen.

But to understand, IF someone has them on the lock screen, deletes the App even, they were subsequently accessible to the FBI (in this case) retrospectively? Just because they appeared on the Lock Screen prior?