Apple iPhone 6S and 6S Plus users are being warned about a security flaw that could let attackers bypass the phone's coded lockscreen and access personal information, including contact lists and photos. Uncovered by researcher Jose Rodriguez, the bug applies to every software version, including the most recent 9.3.1 update.
When the iPhone device is locked with a password, the bypass is launched with the help of Apple's voice recognition software Siri. It is activated when a user asks Siri to search Twitter for email addresses, for example "gmail.com", which will result in a list of valid links being brought up on the screen. The user is then able to click on the link and, with the help of 3D-Touch, gesture a pop-up menu that appears containing the options 'Add to Existing Contact' and 'Create a New Contact'. When selected, the menu successfully opens the contact list on the locked device and, as the iPhone gives users the ability to add an image to a contact's profile, the full photo library is also open to snooping.
Easily turned off but no official fix
Luckily, the flaw only affects devices that have given Siri relevant permissions to access these applications. At the time of writing there does not appear to be an official fix for the bug however concerned users can fully disable Siri on the lock screen to ensure they don't fall victim. Originally posted by Jose Rodriguez in Spanish, YouTuber EverythingApplePro has since put up a longer English version explaining in detail how the exploit works:
Following the 9.3 software update, users have been caught up in a number of bugs and glitches. Most recently, Apple was forced to release iOS 9.3.1 to patch a bug that resolved a widespread issue where applications, or even the device, would crash altogether after tapping links.
IBTimes UK contacted Apple for comment however had recieved no response at the time of publication.