Apple may have fixed the bug that was causing several apps to crash on iPad and iPhone when clicking a link, but a new bug discovered since remains unpatched. A lock screen bypass has been discovered that allows users to view contact and photo albums on iPhone 6s and iPhone 6s Plus without unlocking the smartphones with a pass code or Touch ID fingerprint.
A tech enthusiast who goes by the user name Videosdebarraquito on YouTube first discovered the bug. In a video, he showed that an exploit allows a user to access the contact and photo albums of the iPhone 6s or iPhone 6s Plus without unlocking the smartphones.
By default, iOS and Android limit the number of things a user could access on the phone without unlocking the device. An iPhone user, for instance, can access the camera but cannot check the photo album or access contacts. The exploit takes advantage of unauthenticated access to Siri via the lock screen, and Siri’s access to contacts and photos.
To bypass the lockscreen and access the contacts, a user needs to first activate Siri (either with the home button, or hands-free voice command Hey Siri), and search for Twitter. The next part of the trick is to search for “@gmail.com” or the domain name of any other email provider with the “@” prefix, which returns a list of results.
From here, a user is required to click the tweet button and then, using the 3D Touch of the iPhone 6s and iPhone 6s Plus, press on the email address and wait for the pop-up window to appear. According to the YouTuber, users will now see a “Add new contact” button, which they need to click. This will give them access to all photos on the device, and similarly, clicking on “Add to existing contact” will give them access to contacts.
The exploit detailed may require several attempts before Siri searches Twitter for an email address. The Daily Dot reports the exploit works with 3D Touch-enabled iPhone models running iOS 9 and above through to iOS 9.3.1, though the YouTube user only points to iOS 9.3.1.
While we wait for Apple to fix this bug, you can make some tweaks to Settings to prevent unauthorised users from accessing your photos and contacts. Disabling Siri access to photos will prevent anyone to check your photos. You can do so by going to Settings > Privacy > Photos and then disable Siri.
Alternatively, you can disable Siri on the lock screen, making it impossible for anyone to exploit the bug. You can do so by going to Settings > Touch ID & Passcode and disable the Siri switch.[“source-ndtv”]