Apple’s date with iPhone bugs seems to be long from over, as a new lock screen bypass vulnerability was discovered that gives anyone access to contact and photo albums on iPhone 6s and iPhone 6s Plus without unlocking the smartphones with a passcode or via the Touch ID fingerprint scanner.
The bug was first noticed by YouTube user named Videosdebarraquito, who in a video showed that the particular vulnerability allows a user to access contacts and photo albums of the iPhone 6s or iPhone 6s Plus without unlocking the device.
Under normal circumstances, iOS and Android operating systems restrict the user from accessing several features on a smartphone, while the screen is locked except for dialling an emergency number or the camera. An iPhone user, for instance, can access the camera but cannot check the photo album or access contacts. However, the screen bypass vulnerability takes advantage of unauthenticated access to Siri via the lock screen and its access to contacts and photos.
To take advantage of the flaw, a user is required to first activate Siri by either using the home button or hands-free voice command and search for Twitter. To complete the hack, the user needs to search for “@gmail.com” or a domain name of any other email service with the “@” prefix, which returns a list of results.
From here onwards, a user needs to click the tweet button and then via the 3D Touch of the iPhone 6s and iPhone 6s Plus, click on the given email address and wait till the pop-up notification appears. Users will see an “Add new contact” button after the pop-up window appears, which they will have to click to get access to all photos on the device. In a similar way, clicking on “Add to existing contact” will give you access to contacts.
The vulnerability detailed above at times requires several attempts before Siri eventually searches Twitter for an email address. According to a report by Daily Dot, this only works for iPhone models running iOS 9 and above through to iOS 9.3.1 with 3D Touch functionality.
Before Apple officially fixes the bug, users can prevent unauthorised access to their photos and contacts by tweaking a few settings. For instance, disabling Siri access to photos will restrict anyone from checking photos. To do so, just head over to Settings > Privacy > Photos and then disable Siri.
Another way is by disabling Siri on the lock screen, which shields the device from anyone trying to exploit the bug. Just go to Settings > Touch ID & Passcode and then disable Siri.