iOS 9.3.1 Vulnerability Allows Access to iPhone Photos and Contacts

iapptweak Leave a comment

Shortly after Apple released iOS 9.3.1 into the wild last week, it seems like it may have to release iOS 9.3.2 soon as a new vulnerability discovered by Youtuber Videosdebarraquito allows anyone to access private photos and contacts on a locked iPhone.

A video surfaced online yesterday purporting to show a vulnerability in iOS 9.3.1 that allows anyone to access photos and contacts on a locked iPhone without having to enter a passcode. That’s right, anyone can view all of the photos stored in your camera roll or your contacts list without unlocking the device with a passcode or Touch ID fingerprint scan. For most people this bug is a cause of major concern, as it can put their privacy at risk if someone gets access to their device. This iOS 9.3.1 vulnerability, which is also found on older iOS 9 versions only affects iPhones with 3D Touch including iPhone 6s and iPhone 6s Plus.

The reason why the hack only works on Apple’s latest devices is that it uses 3D Touch. However, the steps required to bypass the lock screen are incredibly simple, and take just a minute to perform. This is a pretty major flaw almost anyone could take advantage of, then.

How to view photos or contacts without unlocking iPhone

If you wish to replicate the results on your device to see the glitch in action, then follow the steps below.

  • On an iPhone 6s or iPhone 6s Plus say “Hey Siri, search Twitter”.
  • Siri will ask you what you want to search on Twitter, to that you need to say “@me.com”. You can replace gmail with any other popular email domain.
  • Now Siri will show you the tweets matching your query, tap on the one that contains a full email address.
  • Force tap on the email address so a popup appears. Next tap on ‘Add New Contact’ button and then tap on the photo box. Doing so will allow you to view all the photos stored on that device without needing to unlock it with a passcode or Touch ID scan. If you want to view the contacts list instead you can tap on ‘Add to Existing Contact’ button.

Users worried about the vulnerability can protect themselves by ensuring Siri’s access to Twitter and Photos is disabled. Here’s how:

  1. Open up the Settings app on your iPhone
  2. Tap Twitter
  3. Disable Siri access

This will prevent Siri from having access to Twitter, which makes the trick above impossible. It means you won’t be able to use Siri to search Twitter or send tweets yourself, but it’s a small price to pay for security until Apple makes a proper fix available.

 

Leave a Reply