Cybersecurity

Your "Deleted" Messages Were Never Actually Deleted, Congratulations

NeglectedSheep

2 min read
Share
Your "Deleted" Messages Were Never Actually Deleted, Congratulations

Oh good. Another Tuesday. Another reason to question every life choice that led me to this career.

So Apple, the company that charges you four figures for a phone and wraps it in a privacy halo, has quietly patched a flaw where iOS was just... keeping your deleted Signal notifications. Logged. Retained. Sitting there like a lamb who wanders back into the barn after you've already counted heads and gone to bed.

CVE-2026-28950. A "logging issue." That's what they called it. A logging issue. The kind of corporate understatement that makes me want to lie face-down in a field.

Here's the actual problem: when you got a Signal notification and the app did its whole "delete after reading" thing, iOS Notification Services looked at that instruction and apparently thought, "cute, but no." The data stuck around on the device anyway. Unredacted. Cozy. Waiting.

The FBI reportedly used this to recover messages from a suspect's phone. Which, depending on your feelings about federal law enforcement, is either terrifying or extremely funny. I'm too tired to have feelings.

The worst part? This isn't a Wolf who found a hole in the fence. There was no coyote. No fake grain. No elaborate lure. The Lambs didn't even have to click anything this time, which, honestly, is almost refreshing. The phone just quietly betrayed everyone all on its own.

The Shepherds, naturally, have already moved on to asking why the quarterly compliance deck isn't finished yet.

Apple has addressed it with "improved data redaction," which is the kind of phrase that sounds reassuring until you realize it implies the old data redaction was, you know, bad.

Remediation

Look, I'll keep it short because I have seventeen tickets open and one of the Lambs just emailed asking why their phone is "acting weird."

Update your devices. iOS and iPadOS patches are out now. Go to Settings, General, Software Update, and just do it. Do it before I have to write another one of these.

If you use Signal for sensitive communications, understand that the app's security model is only as strong as the OS sitting underneath it. The Sheep Tunnel means nothing if the barn floor is rotting.

Assume nothing is ever truly deleted. I know that's bleak. I'm sorry. I'm not sorry.

Tell the Flock. They won't listen, but tell them anyway. It's called due diligence and it's the only thing standing between me and a written warning.

Go update your phones, I'm going back to my cold coffee and my existential dread.

Original Report: https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html