Apple keeps fixing problems in the latest edition of its mobile software, but another one has popped up.
A bug has surfaced in iOS 9 and higher that takes advantage of digital assistant Siri and the pressure-sensitive 3D Touch feature in the iPhone 6S and iPhone 6S Plus. The glitch was initially demoed in a video by a YouTube user named Ideosdebarraquito and then further detailed in a second video by YouTuber EverythingApplePro.
The flaw works by asking Siri to search Twitter, specifically looking for a result that returns an email address. On an iPhone 6S or 6S Plus, you then “force tap” on the email link to access the 3D Touch menu and choose the option to Add to Existing Contact, which provides access to all contacts. You can also choose to Create a New Contact and add a photo to that contact, which gives access to all photos.
The bug requires specific settings to be enabled, so it will not affect everyone. But the problem shows how difficult it can be for a company like Apple to test every possible scenario when releasing a new version of its mobile software. Bugs that allow someone to bypass the lock screen have been especially notorious since they defeat the whole purpose of securing a phone with a passcode.
The flaw requires a device with 3D Touch, which means it will work only on the iPhone 6S or 6S Plus. Siri also needs to be set up to use your Twitter and Photos apps.
Unless or until Apple fixes the bug, you can protect yourself. Go into Settings, choose the Privacy option, tap Photos and then disable the option for Siri if it appears. That will block access to Photos if someone exploits the flaw. However, it won’t cut off access to your contacts. To fully protect yourself, go into Settings, choose Touch ID & Passcode. Enter your passcode. Scroll down and disable the option to give Siri access when the screen is locked.
Apple did not immediately respond to CNET’s request for comment.