“The iPhone does not need to have Twitter installed, and the vulnerability exists even on the latest version of iOS, 9.3.1. It takes seconds between activating Siri by holding down the home button and accessing the phone’s contacts,” Titcomb reports. “However, it also requires the use of the 3D Touch function on the latest iPhone 6s and 6s Plus, so earlier models and the iPhone SE released last month are not vulnerable.”
“The hacker must ask Siri to find tweets including an email address… Once they find a tweet, the iPhone’s 3D Touch can be used to add that address to a contact – a process that opens up the entire address book,” Titcomb reports. “When selecting a contact to add the email address to, the user can choose any of the stored contacts on the iPhone, revealing their phone numbers, email or addresses. And by selecting an option to edit a contact’s profile photo, they can access the entire photo library.”
“Apple may introduce a fix for this, but at the moment the only way to prevent it is to disable certain Siri functions,” Titcomb reports. “If you want to make sure Siri can’t access your address book or photos, the best way is simply to turn off access to Siri when the iPhone is locked. Go to Settings, then Touch ID & Passcode and deselect Siri under ‘Allow access when locked.'”
Read more in the full article here.
If you’d like to keep Siri active when your 3d Touch-capable iPhone 6s/Plus is locked, you can simply block access to your photos via Settings>Privacy>Photos and disable Siri access. Siri will still be able to access your contacts.
UPDATE: 3pm EDT: Apple has fixed bug that exposed iPhone 6s/Plus Photos and Contacts
[Thanks to MacDailyNews Reader “Elboe” for the heads up.]