Durov Warns: Signal Push Notifications Pose Critical Privacy Vulnerability

Telegram founder Pavel Durov has issued a stark warning, declaring that Signal's push notification system represents a critical privacy vulnerability. This alert follows recent investigative reports revealing that law enforcement officials have successfully retrieved deleted Signal messages by accessing device push notification logs. The exposure of this forensic method directly challenges the core privacy promise of end-to-end encrypted messaging platforms, suggesting that metadata from notifications can create a persistent, exploitable record outside the app's encrypted environment.

The vulnerability centers on how push notifications work. When a Signal message arrives, the app's server sends a notification to the device's operating system (iOS or Android) to alert the user. These notifications, which can contain message previews, are often logged by the OS in a way that persists even after the original message is deleted within the Signal app itself. This creates a potential backchannel for data recovery. Durov's public highlighting of this flaw intensifies scrutiny on Signal, a platform widely used by activists, journalists, and privacy-conscious individuals for its strong encryption credentials.

The revelation raises profound questions about the true boundaries of digital privacy and the limits of encryption when interfacing with proprietary operating systems. It signals mounting pressure on encrypted messaging services to audit and fortify every data pathway, not just the primary channel. For users, the incident serves as a sobering reminder that complete ephemerality is difficult to guarantee in a complex digital ecosystem where apps must interact with broader, less secure system layers.