Security Flaw in iOS 9.3.1 Allows Access to iPhone Photos and Contacts

Status
Not open for further replies.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,428
8,491



A video surfaced online yesterday purporting to show a vulnerability in iOS 9.3.1 that allows anyone to access photos and contacts on a locked iPhone without having to enter a passcode.

The YouTube video, uploaded by Jose Rodriguez and first spotted by The Daily Dot, depicts a user performing a Siri search followed by a series of relatively simple steps, one of which involves 3D Touch, limiting the exploit to iPhone 6s and 6s Plus devices.


The procedure starts by invoking Siri on the locked phone by holding the home button or using the "Hey, Siri" function, and then asking the personal assistant to initiate a Twitter search. When the returned results include contact details such as an email address, a 3D Touch gesture is used on the contact information to bring up a Quick Actions menu. Tapping "Add to Existing Contact" then brings up the iPhone's Contacts list. By selecting a contact and opting to add a photo to the entry, the phone's photo library can also be freely accessed.

The flaw is only applicable if the iPhone owner has previously granted Siri permission to access Twitter account information as well as to Contacts or Photos, operations which require establishing ownership of the device with the passcode or Touch ID. Additionally, if the iPhone has exited a Touch ID grace period, a passcode is still required before using Siri.

Users worried about the vulnerability can protect themselves by ensuring Siri's access to Twitter and Photos is disabled. On your device, go to Settings -> Privacy -> Twitter and if Siri is listed, turn off its access. Likewise, in Privacy -> Photos, turn any listing of Siri access to the Off position. Revoking Siri's access to your Contacts requires the more drastic action of disabling Siri lock screen activation. To do so, go to Settings -> Touch ID & Passcode and turn off the Siri switch.

Apple released iOS 9.3.1 to the public last week, marking the first update to iOS 9 since iOS 9.3 launched on March 21. iOS 9.3.1 came just over a week after the launch of iOS 9.3 and brought a fix for a significant web link crashing issue that affected many iOS users.

Article Link: Security Flaw in iOS 9.3.1 Allows Access to iPhone Photos and Contacts
 
  • Like
Reactions: rshrugged

MH01

Suspended
Feb 11, 2008
12,118
9,213
Weird release this 9.3, we get stories ranging from being the most stable release, to people not being able to log into iCloud, security leaks etc.....seems like a bit of a dogs breakfast.

I'd be happy for apple to take more time with software releases and not give us annual updates to to iOS / OS X.
 

x0vash0x

macrumors regular
Dec 1, 2014
191
189
I don't understand how this is a security issue. You have to grant Siri access to this information to begin with. Seems more likely a feature than a flaw to me. I guess the issue is that Siri should ask for your passcode first? But, if you granted Siri access to your Photos and Contacts, why should that be necessary?

Meh. It's all trivial to me.
 

Afsal

macrumors newbie
Apr 5, 2016
3
0
Hi,
The same bug is on iPhone 6 Plus (9.3.1) as well. Siri will open photos without passcode, but other apps, documents and email required passcode. Not all the time , if we Tryed 5 times it will open one time like. A serious bug..
 
Last edited:

arkhanjel

macrumors regular
Nov 3, 2003
121
75
Weird release this 9.3, we get stories ranging from being the most stable release, to people not being able to log into iCloud, security leaks etc.....seems like a bit of a dogs breakfast.

I'd be happy for apple to take more time with software releases and not give us annual updates to to iOS / OS X.
Unfortunately I think we're in the minority when it comes to Apple taking more time for the major updates. More time in between updates equals bad for most of the media and people in general. Then the "Apple is doomed" talks get amplified. Haha.
 

Macneck

macrumors regular
Oct 17, 2012
122
129
.. just little bits of history repeating
.. and I've seen it before
.. and I'll see it again
.. yes I've seen it before
.. just little bits of history repeating
 

Status
Not open for further replies.