Apple has confirmed, via The Washington Post, that it has in fact issued a server-side fix for an iPhone 6s bug that enabled access to a device’s photos and contacts without the need to verify one’s identity either via a passcode or Touch ID.
What made the bug particularly worrisome is that it was relatively easy to exploit. As we detailed yesterday, the security loophole could be accessed by calling up Siri from a locked homescreen and commanding it to search for an email address or phone number on Twitter. When a search result popped up, a user could simply use 3D Touch to bring up a contextual menu and thereby access a device’s list of contacts. From there, a user’s entire photo library could be seen.
The bug in action can be seen below.
Notably, Apple’s software patch doesn’t require any action on a user’s part. Now, when attempting to conduct a Twitter search via Siri from the lock screen, iOS displays an alert indicating that the phone must be unlocked before the Siri search can continue.