When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Apple fixes bug cops used to recover deleted chats from alleged Antifa member's iPhone

The FBI used a flaw in the way iOS handled notifications to extract incoming Signal messages for a suspect's iPhone, now Apple's rolled out a fix.

Neowin · with 2 comments

A padlock appears next to the iOS Apple logo
Image via Depositphotos.com

Apple has shipped iOS 26.4.2 and iPadOS 26.4.2, with a patch for a vulnerability (tagged CVE-2026-28950) that gave cops the ability to extract messages from a suspect's iPhone, even after those messages were set to disappear.

Earlier this month, 404 Media's Joseph Cox wrote a story detailing how the FBI successfully recovered deleted, encrypted Signal messages from an iPhone. This was from a suspect in the "Prairieland" case. The feds managed this not by breaking Signal's signature end-to-end encryption or finding some way to exploit the app itself. Instead, they took advantage of a flaw in iOS's internal push notification database.

When the user received a Signal message, their iPhone generated a lock-screen notification containing a preview of the message's text. Even though the user had set their messages to "disappear" within Signal and later completely uninstalled the app, these previews remained. The text was saved in a system cache, which allowed forensics tools to scrape the data right off the device. This method (obviously) has the severe limitation that it can only recover incoming messages, not outgoing ones.

The FBI had been investigating a July 2025 incident where a group vandalized the ICE Prairieland Detention Facility in Texas and shot a police officer. The defendants, including Lynette Sharp (the person whose phone data was scraped), were charged with alleged "Antifa" activities.

Before this new update from Apple, the only way to protect yourself from this type of data extraction was to change your notification settings. You could go into Signal and set notifications to show "No Name or Content," or you could change the setting system-wide in iOS.

Apple, on its website, announced the update, simply described it as a fix for an issue where "notifications marked for deletion could be unexpectedly retained on the device." The company's official explanation states, "A logging issue was addressed with improved data redaction." This patch is available for these devices: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and the iPad mini 5th generation and later.

A Microsoft logo on a building
Next Article

Microsoft almost fought SpaceX for Cursor in a massive $60 billion AI showdown

The Hisense 85QD7QF
Previous Article

Massive 85-inch Hisense 4K Mini-LED TV hits an incredible $699 price point

2 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here