A newly discovered security flaw in the iPhone 6s and 6s Plus allows users to bypass the lock screen and gain access to contacts and photos. The exploit only works on 3D Touch-equipped phones set to allow Siri access to Twitter, Contacts and Photos, but if all of those variables are in place, gaining access to a user’s photos is relatively easy.
If a Twitter search run through Siri yields a tweet that contains an email address, a 3D Touch gesture can then be used to call up the contextual menu with options to send mail to the address or add it to contacts. Choosing to add the address to contacts allows access to the phone’s existing contact list, and using the contact list’s option to add photos to a contact, the user can browse the phone’s photos without ever entering a passcode. To guard against the potential intrusion, users need only disable Siri’s Twitter integration under Settings > Twitter. [via Apple Insider]
Update: Apple has tweaked Siri to stop the personal assistant from allowing access to Twitter searches from a locked iPhone. A spokesman confirmed to the Washington Post that the company pushed out a fix to make Siri force users to unlock their phone before delivering Twitter search results. The update was handled on Apple’s on servers, so it won’t require any action from users.