Apple Applies Server-Side Patch To Fix Siri-Initiated Passcode Bypass Exploit
Here's a tip for anyone who owns a smartphone (so pretty much everybody)—don't leave your handset out in the open and unattended, even if you've locked it. Case in point, an online video making the rounds showed how it was possible to bypass an iPhone's passcode using Siri to access the device's contacts and photos.
The hack, if you want to call it that, was made possible by a rather odd bug in iOS 9.3.1. For it to work, Siri must have access to the iPhone owner's Twitter account. The handset must also support Force Touch, limiting the vulnerability to iPhone 6s and iPhone 6S Plus models. And the last requirement is finding a Twitter post containing someone's email address.
If all those factors are in play, the weird bug would let a curious co-worker or anyone else who came in possession of your iPhone take a peek inside—all they had to do was press down on the part of the Twitter post containing an email address and the 3D Touch feature would call up a menu to add a new contact or edit an existing one. From there, the person snooping on an iPhone could choose to edit a contact's photo, which would give them access to the handset's camera roll, too.
The hack, if you want to call it that, was made possible by a rather odd bug in iOS 9.3.1. For it to work, Siri must have access to the iPhone owner's Twitter account. The handset must also support Force Touch, limiting the vulnerability to iPhone 6s and iPhone 6S Plus models. And the last requirement is finding a Twitter post containing someone's email address.
If all those factors are in play, the weird bug would let a curious co-worker or anyone else who came in possession of your iPhone take a peek inside—all they had to do was press down on the part of the Twitter post containing an email address and the 3D Touch feature would call up a menu to add a new contact or edit an existing one. From there, the person snooping on an iPhone could choose to edit a contact's photo, which would give them access to the handset's camera roll, too.
The user who posted the video has several others on YouTube that show ways of exploiting the iPhone using Siri, though some of them no longer work. That's also true of the method explained here. Once Apple was made aware of the quirky vulnerability, it issued a server-side fix. If you own an iPhone 6s or iPhone 6S Plus, there's nothing to do on your end.
