A new video shows a vulnerability in iOS 9.3.1 that allows anyone to view photos and contacts on a locked iPhone without the need to enter a passcode. Luckily, the flaw is easy to protect against, and the flaw only works on iPhone 6s and iPhone 6s Plus handsets, due to one of the step’s reliance on 3D Touch.
The video, uploaded by Jose Rodriguez and first spotted by The Daily Dot, shows a user performing a Siri search on a locked iPhone using “Hey Siri,” or by holding the home button. Siri is then asked to perform a Twitter search, If the search results contain any contact details, such as an email address, 3D Touch is used on the contact information to bring up a Quick Actions menu, where tapping “Add to Existing Contact” displays the device’s contact list. A contact can then be selected, and by adding a photo to the contact, the iPhone’s Photo Library can then be accessed.
The iPhone’s contacts and Photo library can only be accessed in this manner if the device’s owner has granted Siri permission to access Twitter account information, and Contacts and Photos. Also, if your iPhone reboots, or the Touch ID grace period has timed out, the device’s passcode will need to be verified before using Siri. So, chances are this won’t ever happen to you, especially if you keep your iPhone close to your heart. (Or in your pants pocket or purse, whatever. -Ed.)
Those concerned about the flaw can disable Siri’s Twitter integration by going to: “Settings” -> “Twitter” and switching off Siri. Then do the same in: “Settings” -> “Privacy” -> “Photos” to disallow Siri’s access to an iPhone’s photo library.
You can also completely disable Siri, by going into “Settings” -> “Touch ID & Passcode,” and turning off the “Siri” switch under “ALLOW ACCESS WHEN LOCKED.” However, please understand that this eliminates the ability to use Siri while on the Lock Screen.