By default the voice-controlled personal assistant Siri on the iPhone 4S gives access to contact details, calendars and allows calls to be made and messages sent, even when the phone is passcode protected.
The security hole means that, even if your iPhone is locked with a password, someone can use Siri to view possibly sensitive information easily and run up an enormous bill by dialling foreign numbers.
Despite Siri's willingness to share information with anyone who asks, she cannot open applications, and her behaviour can be controlled in the settings application.
Siri can be turned off in the password lock settings - stopping content from being shared without the entering of a passcode - but this should really be the default setting.
Graham Cluley of security company Sophos blogged: "What's disappointing to me though is that Apple had a clear choice here. They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system."
Since its release Siri has been criticised for failing to offer location-based results outside of the US, and has been described as a gimmick, offering amusing answers to the meaning of life, rather than being a genuinely useful tool.