Apple has fixed an iOS 9.3.1 security vulnerability that allowed access to a user’s contacts and photos on a locked iPhone 6s/6s Plus via Siri. The flaw was patched server-side by Apple on Tuesday.
A video, shared by Jose Rodriguez and first spotted by The Daily Dot, showed a user performing a Siri search on a locked iPhone using “Hey Siri,” or by holding the home button, and then asking to perform a Twitter search, If the search results contained any contact details, such as an email address, 3D Touch could be used on the contact information to bring up a Quick Actions menu, and tapping “Add to Existing Contact” displayed the device’s contact list. A contact could then be selected, and by adding a photo to the contact, the iPhone’s Photo Library could then be accessed.
The above method is now disabled on all iOS devices, as it is no longer possible for Siri to conduct a Twitter search on a locked iOS device. If Siri is now asked to “Search Twitter” on a locked device, the virtual assistant now replies “You’ll need to unlock your iPhone first.” With this security hole plugged, there is no apparent way to get the exploit to work. An Apple spokeswoman confirmed the fix had been made in a statement to The Washington Post.
9to5Mac reports Apple also fixed another Siri-related bug on Tuesday, one where it was previously possible to enable both Night Shift and Low Power Mode at the same time by asking Siri to turn on Night Shift after Low Power Mode was already enabled. The user is now warned with the response: “In order to turn on Night Shift, I’ll have to turn off Low Power Mode. Shall I continue?”