iOS 9.3.1 Flaw Allows Access To Contacts & Photos From Lock Screen, Protect Your Device Now


#1

A new way of access photos and contacts with passcode enabled iPhone 6S, 6S Plus and 6 SE (iOS devices with 3D touch capability) has been discovered through the use of Siri at the lock screen page.

Background:
• it’s worth pointing out that while this vulnerability in Siri certainly does exist, it’s also extremely specific and really isn’t something that the average person would simply stumble across to gain access to a device’s data.
• In addition to that, it’s also entirely preventable, meaning that there is something very explicit that device owners can do within the device settings to ensure that any would-be intruder who is aware of this trick can’t use it to their advantage.

What is it & how it works?

• The exploit works by asking Siri to search Twitter from the lock screen of the device. The malicious individual then accesses a Twitter bio which could contain actionable Contacts data, and then uses 3D Touch to bring up the Quick Actions contextual menu, choosing the “Add to Existing Contact” option, opening up a list of all contacts on the device.
• You can further drill down and get access to all of the photos saved on the device also if the Contacts app has earlier been permitted to access the Photos app. It has also been revealed that the same loophole also applies to WhatsApp search results for friends via Siri.
Steps provided here to show how it works in embedded video too.

Impact:
• It’s that requirement of 3D Touch which means this particular exploit will only work on the iPhone 6s and iPhone 6s Plus right now running iOS 9 and above.

What you need to do?
• This is applicable only in cases where a user has allowed Siri to integrate Twitter into its searches. This is precisely why you can also avoid this situation.
• If you want to entirely disable the ability for anyone to gain this type of access via Siri, then you can simply turn off Siri’s ability to access certain apps.

As an example, if Siri has been used previously to search Twitter, then you can head over to Settings > Privacy > Twitter, and make sure the Siri toggle is switched to the Off position.

• Additionally, to prevent Siri from accessing your photos, head over to Settings > Privacy > Photos and uncheck Siri.

Source