The vulnerability was discovered by YouTuber Jose Rodriguez, and only affects the iPhone 6S and the 6S Plus as it involves 3D Touch. In the video, Rodriguez initiates a Twitter search via the “Hey Siri” feature, without unlocking the phone. His search of a contact brought up contact information, allowing him to press down on it with 3D Touch to bring up a Quick Actions menu.
The Daily Dot found that you can ask Siri to search Twitter for “@gmail.com” or any other second half of an email address to pull up a contact’s informatiom. When you see a tweet with an email address, that’s when you can bring up the Quick Actions menu.
Rodriguez then taps “Add to Existing Contact,” which brings up his entire Contacts list, and he follows that by tapping on a contact and hitting “Add Photo,” which then offers full access to his photo library.
Essentially, Rodriguez shows the flaw could offer someone else using a locked device access to Twitter contact information, your contacts, and your photos. Do note that it’s only possible to access if you have granted Siri access to Contacts, Photos, or Twitter account information.
It also seemed to vary as to whether you can access this Twitter search without providing a passcode — most of the time Siri asked for a passcode, but some times it randomly went ahead with the search.
An Apple spokesperson says the issue was fixed this morning, and the fix is rolling out server side globally.
If you’re still wary, you can turn off Siri’s access to search Twitter by heading to Settings, finding Twitter, and toggling Siri off.
- 5 things I learned about the iPhone SE after swapping from the iPhone 13 Pro
- The latest iOS 16 beta just added back one of my favorite features
- I bought an iPhone 13 right before the iPhone 14 comes out, and you should too
- Apple’s iPhone 14 range could launch earlier than usual this year
- Apple iPhone 14: Everything we know about the 2022 iPhone