After years of bug hunts, Apple’s latest iOS (9.3.1) still has a flaw allowing anyone to bypass the passcode on a limited set of devices, and allows them to access Contacts and Photos. The vulnerability seems to affect only the latest iPhone 6s and 6s Plus handsets, as 3D Touch is needed to replicate the bug (via AppleInsider).
The discovery comes from the same Jose Rodriguez who has uncovered lockscreen bugs before – see the one from last September which works only in certain situations, and the lockscreen bug in iOS 6.1.3 from three years ago.
The flaw exists when asking Siri to “search twitter”. Then, as demonstrated in the video inserted below (I couldn’t replicate it on my iPhone 6), ask Siri conduct another search, this time for “gmail.com” or anything that contains actionable Contacts data, such as an email address. With the data displayed on the screen, using 3D Touch users can tap on “Add to Existing Contact”, which opens the device’s Contacts list. This can be edited and used to access the photos held on the iPhone.
According to Rodriguez, the 3D Touch flaw can also be applied to Siri results for WhatsApp friends-list searches.
Until Apple addresses this flaw, you can protect yourself by restricting Siri’s access to Twitter and Photos. Or you could disable Siri completely, but you may want to reconsider that, as sometimes she can be useful.