Apple has released an emergency update for iOS and iPadOS that fixes a vulnerability in notification handling. Identified as CVE-2026-28950, the flaw allowed deleted messages from apps like Signal to be stored on the device without the user's knowledge, facilitating unauthorized recovery. The company urges users to update their systems.
The technical flaw that exposed ghost messages 🕵️
The flaw resided in the push notification services, where the system did not properly delete records of messages marked for deletion. This caused notifications from ephemeral messaging apps, such as Signal, to remain in system cache files. Although the interface showed the content as deleted, the data persisted in internal storage. An attacker with physical access to the device could extract this residual information without needing to unlock the app.
Deleting messages: Apple's new optical illusion 🎭
Apple promises us self-destructing messages, but it turns out they just hide under the digital rug. This flaw turns the delete button into a mere decoration. If you use Signal for private conversations, now you know your secrets don't leave; they just take a vacation in the system cache. Next time, better burn the phone or at least throw it into the sea.