Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device.
The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction.
“Notifications marked for deletion could be unexpectedly retained on the device,” Apple said in an advisory.
The shortcoming affects the following devices –
iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later – Fixed in iOS 26.4.2 and iPadOS 26.4.2
iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), iPhone 16e, iPad mini (5th generation – A17 Pro), iPad (7th generation – A16), iPad Air (3rd – 5th generation), iPad Air 11-inch (M2 – M3), iPad Air 13-inch (M2 – M3), iPad Pro 11-inch (1st generation – M4), iPad Pro 12.9-inch (3rd – 6th generation), and iPad Pro 13-inch (M4) – Fixed in iOS 18.7.8 and iPadOS 18.7.8
The update comes weeks after a report from 404 Media that the U.S. Federal Bureau of Investigation (FBI) managed to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, by taking advantage of the fact that copies of the content were saved in the device’s push notification database.
It’s not known why the notifications’ content was logged in the device to begin with, but the latest update suggests it was a bug. That said, it’s unclear when this issue was introduced, and if there have been prior cases where such data may have been captured by authorities using forensic tools.
While Signal already has an option to prevent the content of incoming messages from being displayed in notifications, the development highlighted how physical access to a device can facilitate the extraction of sensitive data from at-risk users.
“For most app notifications, there’s no simple way to easily figure out what metadata might be gleaned from a notification, or if the notification is unencrypted or not,” the Electronic Frontier Foundation (EFF) said. “It’s also good to reconsider whether any app should be sending you notifications to begin with.”
To prevent the message content from showing in notifications, users can navigate to their profile > Notifications > Show, and select one of the following: “Name only” or “No name or message.”
“Note that no action is needed for this fix to protect Signal users on iOS,” Signal said in a post on X. “Once you install the patch, all inadvertently-preserved notifications will be deleted, and no forthcoming notifications will be preserved for deleted applications.”
“We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.”
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply