Apple Just Fixed An Ios Flaw Exploited By The Fbi - Here's What Happened

Lance Whitney/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• iOS 26.4.2 fixes a flaw that allowed entree to deleted texts.
• The FBI exploited this flaw to retrieve messages from a Signal user.
• The spot should protect different messaging apps from this weakness.

Many group usage nan popular Signal app to nonstop and person encrypted matter messages. As an added bonus, you tin group each texts to automatically vanish aft a definite magnitude of time. But those protections don't thief arsenic overmuch if there's an underlying flaw successful your device's operating system. And that's precisely what happened, and why Apple had to hole it.

On Wednesday, Apple released its latest insignificant update for iOS (and iPadOS). The release notes for iOS/iPadOS 26.4.2 show only 1 vulnerability patched by nan caller version. Impacting nan notifications work connected your iPhone aliases iPad, nan statement simply says: "Notifications marked for deletion could beryllium unexpectedly retained connected nan device."

Also: What is Signal? 7 features that make it a go-to app for private, unafraid messaging

As is sometimes nan lawsuit pinch Apple update notes, nan mentation raises much questions than it answers. However, nan logic for nan update lies successful nan Signal app itself and successful really nan feds were capable to skirt its security.

In a federal proceedings that concluded past month, respective individuals were charged pinch and recovered blameworthy of mounting disconnected fireworks and vandalizing spot astatine an ICE detention facility. One of nan defendants, Lynette Sharp, had utilized Signal connected her iPhone and later deleted nan app, 404 Media (subscription required) reported earlier this month, citing group coming astatine nan trial.

How nan FBI accessed Signal messages

During nan trial, however, an FBI supplier testified that nan agency was capable to entree Sharp's incoming Signal messages because copies of their contented had been saved connected her phone's push notification database.

Normally, a connection received via Signal triggers a push notification connected your phone. The notification alerts you to nan connection and, by default, displays nan sanction of nan sender and shows immoderate of nan connection content. In Signal, you tin modify this action truthful that only nan person's sanction appears, aliases that nary sanction and nary contented appear.

Also: Apple's iOS 26.4.1 update enables Stolen Device Protection by default now - drawback it today

Apparently, Sharp had near nan default Signal notification settings unchanged. That meant nan names and partial contents of texts she received (but not those she had sent) were still stored and accessible owed to this iOS weakness. That weakness allowed nan FBI to retrieve definite texts she had received connected her phone.

"We learned that specifically connected iPhones, if one's settings successful nan Signal app let for connection notifications and previews to show up connected nan fastener screen, nan iPhone will internally shop those notifications/message previews successful nan soul representation of nan device," a protagonist of nan defendants who was taking notes during nan proceedings told 404 Media.

Though Apple has truthful acold not acknowledged nan Signal incident arsenic nan logic for iOS 26.4.2, Signal was unfastened astir it. In a post connected X, Signal thanked Apple for nan spot and specifically cited nan FBI's entree to connection notification contented moreover though nan app had been deleted.

No personification action required

"Apple's advisory confirmed that nan bugs that allowed this to hap person been fixed successful nan latest iOS release," Signal said successful its post. "Note that nary action is needed for this hole to protect Signal users connected iOS. Once you instal nan patch, each inadvertently preserved notifications will beryllium deleted, and nary forthcoming notifications will beryllium preserved for deleted applications. We're grateful to Apple for nan speedy action here, and for knowing and acting connected nan stakes of this benignant of issue."

Also: These informing signs could mean spyware is connected your telephone - and 9 ways to support it secure

Though nan spot whitethorn person been rolled retired successful consequence to nan Signal incident, nan update will presumably forestall nan flaw from affecting different messaging apps. To get this latest update connected your iPhone aliases iPad, caput to Settings, prime General, pat Software Updates, and past pat nan fastener to update now. After nan update is installed, restart your iPhone aliases iPad.