Apple has released iOS 26.4.2, a critical security update that addresses a vulnerability in its notification database. The flaw allowed law enforcement agencies, including the FBI, to access push notifications that users had deleted from their iPhones or iPads.
The Electronic Frontier Foundation (EFF) highlighted the issue, noting that the flaw enabled circumvention of Apple’s strict user privacy policies. Since 2023, Apple has required a court order to share notification data, but this vulnerability provided an alternative method for accessing such information.
How the Flaw Worked
According to Apple’s update notes, iOS 26.4.2 introduces improved data redaction to resolve an issue where notifications marked for deletion could still be retained on the device. The update is now available for the following devices:
- iPhone 11 and later
- iPad Pro 12.9-inch (3rd generation and later)
- iPad Pro 11-inch (1st generation and later)
- iPad Air (3rd generation and later)
- iPad (8th generation and later)
- iPad mini (5th generation and later)
FBI’s Use of the Flaw
The flaw was first reported by 404 Media, which revealed that the FBI used a tool to access Signal notification data stored locally on an iPhone—even after the notifications were deleted. Signal CEO Meredith Whitaker acknowledged the issue on Bluesky, stating:
"Notifications for deleted [messages] shouldn't remain in any OS notification database, and we've asked Apple to address this."
Whitaker advised Signal users to adjust their app settings to prevent push notifications from displaying messenger names or message content.
Privacy Risks Beyond Local Storage
The EFF emphasized that notification privacy is vulnerable in multiple areas:
- Cloud storage: Notifications are routed through company servers, where metadata may be logged.
- Local device storage: Notifications are stored on the device where they are received.
While Apple’s update aims to make deleted notifications inaccessible, the EFF also suggested that limiting the visibility of notification content could further enhance privacy.
Related articles
Apple Explores Intel’s 18A-P Process for Future iPhone and Mac Chip Production
The initial run will focus on older Apple Silicon systems.
Fired IT Workers Accidentally Record Own Database Sabotage via Active Teams Call
Perhaps you remember Muneeb and Sohaib Akhter, the 34-year-old twin brothers we profiled earlier this week. Although they had the tech chops to commit...
Colorado's Age-Gating Bill Sparks Backlash from Linux Developers Over Privacy Concerns
In January, Colorado lawmakers introduced a proposal to make operating systems collect users' ages and pass them to app developers. The bill, SB26-051...
Windows 11 BitLocker Bypassed by Zero-Day Exploit 'YellowKey' in Seconds
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain compl...
Apple Podcasts to Support Spotify-Hosted Video Podcasts via HTTP Live Streaming
HTTP Live Streaming support will let Apple Podcasts play Spotify-hosted video podcasts.
Esports World Cup Relocates from Riyadh to Paris Amid Middle East Uncertainty
Uncertainty in the Middle East is apparently forcing the location change.
OpenAI Confirms No User Data Accessed in ChatGPT Mac App Security Breach
OpenAI found no evidence that user data was accessed.
Beats Solo 4 Wireless Headphones Drop to Best Price of 2024: $129.95 at Amazon, Best Buy, Target
The Beats Solo 4 support lossless audio and work with both iOS and Android devices. | Image: The Verge If you want a pair of Apple-made wireless headp...