It is newly discovered that Siri search-handling bugs allow nefarious users get access to contacts and Photos data in iPhone 6S and iPhone 6S Plus. The bug bypass passcode protected lock screens on these devices. However, a subset of devices is vulnerable to the bugs.
Last September, Jose Rodriguez discovered a similar lock screen flaw. However, the security hole appears effective only in certain scenarios. AppleInsider confirms that Siri app search allows the iPhone 6S and iPhone 6S Plus handsets to share Twitter, Contacts, and Photos due the vulnerability. A proof-of-concept video also presents the same thing.
The nefarious user can invoke Siri through a long home button press or iPhone’s “Hey Siri” function. The user can conduct a Twitter search with the help of the Virtual assistant and the search results would have actionable Contacts data, such as an e-mail address, a 3D Touch gesture, as per the example.
iPhone users can use the 3D Touch Quick Actions menu by tapping on “Add to Existing Contact” which opens up an iPhone’s Contacts list, through which device photos can be accessed provided it is configured.
Rodriguez told AppleInsider that the 3D Touch loophole also allows Siri search for WhatsApp friends list. However, there are some glitches which could allow the loopholes to leverage successfully. The user must have granted Siri access to their Twitter account, photo library or related app to show up when Siri searches themselves or manually. These settings can be configured service permissions in the settings app in their iPhone.
If a user commands Siri to conduct a Twitter search, the assistant will ask permission to access that device’s Twitter account, as per the device settings. To verify ownership, Siri will have to gather account owner configuration through passcode or Touch ID.
Users can avoid these potential intrusions by few simple actions. Concerned users can disable Siri’s access to Twitter by going to Settings > Twitter and switching off Siri. Similarly, users can go to Settings > Privacy > Photos cuts Siri access to an iPhone’s photo library.