“A bug in Siri allows anyone to bypass a locked iPhone’s passcode and access both the saved contacts and photos stored on a device,” James Titcomb reports for The Telegraph. “The simple hack uses Siri’s ability to search Twitter to find an email address, which can be used to open the iPhone’s address book without entering the security code needed to unlock the phone.”
“The iPhone does not need to have Twitter installed, and the vulnerability exists even on the latest version of iOS, 9.3.1. It takes seconds between activating Siri by holding down the home button and accessing the phone’s contacts,” Titcomb reports. “However, it also requires the use of the 3D Touch function on the latest iPhone 6s and 6s Plus, so earlier models and the iPhone SE released last month are not vulnerable.”
“The hacker must ask Siri to find tweets including an email address… Once they find a tweet, the iPhone’s 3D Touch can be used to add that address to a contact – a process that opens up the entire address book,” Titcomb reports. “When selecting a contact to add the email address to, the user can choose any of the stored contacts on the iPhone, revealing their phone numbers, email or addresses. And by selecting an option to edit a contact’s profile photo, they can access the entire photo library.”
“Apple may introduce a fix for this, but at the moment the only way to prevent it is to disable certain Siri functions,” Titcomb reports. “If you want to make sure Siri can’t access your address book or photos, the best way is simply to turn off access to Siri when the iPhone is locked. Go to Settings, then Touch ID & Passcode and deselect Siri under ‘Allow access when locked.'”
Read more in the full article here.
MacDailyNews Note:
If you’d like to keep Siri active when your 3d Touch-capable iPhone 6s/Plus is locked, you can simply block access to your photos via Settings>Privacy>Photos and disable Siri access. Siri will still be able to access your contacts.UPDATE: 3pm EDT: Apple has fixed bug that exposed iPhone 6s/Plus Photos and Contacts
[Thanks to MacDailyNews Reader “Elboe” for the heads up.]
I can’t recreate this. Siri says I’ll have to unlock my iPhone before searching Twitter.
Apple already fixed this problem.
That’s quite the headline!
How when the phone is in my pocket?
Clickbait headline which doesn’t reflect reality, as is way too frequent on MDN. Sometimes I think the site is secretly (and maybe openly) anti-Apple.
Rather than redecorate all the Apple Stores (as our local one got the New Look last week), why doesn’t Apple hire some white hat hackers to audit their damn software.