New Lock Screen Bug on iPhone 6s/6s Plus Allows Anyone to Bypass Passcode to Access Contacts and Photos [Update: Fixed]

apple-event-sept9-2015-iphone6splus-3263

iOS 9 may be Apple’s most secure mobile operating system to date, but it ships with a major security flaw that allows anyone to bypass the lock screen and gain access to contacts and photos on iPhone 6s and iPhone 6s Plus.

The reason why the hack only works on Apple’s latest devices is that it uses 3D Touch. However, the steps required to bypass the lock screen are incredibly simple, and take just a minute to perform. This is a pretty major flaw almost anyone could take advantage of, then.

The video below demonstrates how it works. You start by asking Siri to find something on Twitter, then deep press one of the search results with 3D Touch. iOS 9 gives you the option to add a contact, which lets you see the entire contacts list.

What’s more, it also gives you the ability to assign a photo to this contact, which then provides access to the Photos app and all the images stored on the device.

Although this flaw only affects the latest iPhones running Apple’s latest software, there are millions of devices out there that fit into this category. That makes this a serious flaw that Apple needs to fix as soon as possible.

The Cupertino company is yet to acknowledge the flaw, but you can eliminate it yourself with a few simple steps. Here’s how:

  1. Open up the Settings app on your iPhone
  2. Tap Twitter
  3. Disable Siri access

This will prevent Siri from having access to Twitter, which makes the trick above impossible. It means you won’t be able to use Siri to search Twitter or send tweets yourself, but it’s a small price to pay for security until Apple makes a proper fix available.

Update:

Apple has fixed the bug on the server side without needing a software update. You can no longer search Twitter using Siri when the iPhone is locked. Siri now says “You’ll need to unlock your iPhone first” to search Twitter. Apple has also issued a statement to Washington Post to confirm the issue has been fixed.

[via iTwe4kz]

Like this post? Share it!