Apple has fixed a security flaw that let Siri access Contacts and Photos from the lockscreen for devices running iOS 9 and above.
The vulnerability was discovered by YouTuber Jose Rodriguez, and only affects the iPhone 6S and the 6S Plus as it involves 3D Touch. In the video, Rodriguez initiates a Twitter search via the “Hey Siri” feature, without unlocking the phone. His search of a contact brought up contact information, allowing him to press down on it with 3D Touch to bring up a Quick Actions menu.
The Daily Dot found that you can ask Siri to search Twitter for “@gmail.com” or any other second half of an email address to pull up a contact’s informatiom. When you see a tweet with an email address, that’s when you can bring up the Quick Actions menu.
Rodriguez then taps “Add to Existing Contact,” which brings up his entire Contacts list, and he follows that by tapping on a contact and hitting “Add Photo,” which then offers full access to his photo library.
Essentially, Rodriguez shows the flaw could offer someone else using a locked device access to Twitter contact information, your contacts, and your photos. Do note that it’s only possible to access if you have granted Siri access to Contacts, Photos, or Twitter account information.
It also seemed to vary as to whether you can access this Twitter search without providing a passcode — most of the time Siri asked for a passcode, but some times it randomly went ahead with the search.
An Apple spokesperson says the issue was fixed this morning, and the fix is rolling out server side globally.
If you’re still wary, you can turn off Siri’s access to search Twitter by heading to Settings, finding Twitter, and toggling Siri off.