A bug in the newly released iOS 9.3.1 iPhone 6s & iPhone 6s Plus models and can be exploited via Siri. Attackers can bypass an iPhone’s lock screen using a Siri search and access the user’s contacts list and private photos. Users may be aware of a similar bug which plagued iOS 9.3 and was fixed in September by Apple. The current bug looks pretty much similar to the earlier one and cause twice as much damage by giving access to the iPhone 6s and 6s Plus private album and contacts to hackers Jose Rodrigues discovered this issue and made a proof-of-concept video, embedded below. Rodrigues also found a similar problem in iOS 9 last September, when he learned that he could also use Siri to access a phone owner’s contact list and photos by asking Siri what the time was. For the current bug, Rodrigues found that by telling Siri to search on Twitter for various terms, when encountering an email address, he could access menu options allowing him to add the address to an existing contact, without being asked for a password in advance.
From there, he could also choose to add or update the contact’s photo and access the iPhone’s photo gallery. While iPhone 6s and 6s Plus users are awaiting Apple to release a patch for fixing the bug, there is a simple fix for it, but one that will temporarily cripple your iOS 9.3 or iOS 9.3.1 experience. You’ll have to go to the Settings app, go to Touch ID & Passcode, and disable Siri on the lock screen. Alternatively, you could just remove Photos access from Siri, so that people can’t view any pictures if they take advantage of the flaw. Go to Settings, then Privacy and then Photos to prevent Siri from accessing pictures – of course, Siri could still ask you for permission to view photos on the device when a user would try to abuse this security issue.