Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos

This is a discussion on Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos within the iPhone News forums, part of the Apple News category; A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens on iPhone 6s and 6s Plus handsets, granting easy ...

Results 1 to 1 of 1
  1. #1
    Administrator
    Join Date
    Jul 2011
    Location
    Northern Michigan
    Posts
    25,446
    Member #
    1529
    Liked
    316 times

    Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos




    A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens on iPhone 6s and 6s Plus handsets, granting easy access to Contacts and Photos data. The vulnerability is likely applicable only to a subset of devices, however.

    Discovered by Jose Rodriguez, who found a similar lock screen flaw last September, the security hole appears effective only in certain scenarios. As presented in a proof-of-concept video, and confirmed by AppleInsider, the vulnerability applies to iPhone 6s and 6s Plus handsets configured to allow Siri app search integrations for Twitter, Contacts and Photos.

    In the example provided, a user — or nefarious agent — invokes Siri via a long home button press, or iPhone's "Hey Siri" function, and asks the virtual assistant to conduct a Twitter search. If the search results contain actionable Contacts data, like an email address, a 3D Touch gesture can be used to call up a contextual menu with options to send mail and add or modify contact information.

    From the 3D Touch Quick Actions menu, tapping on "Add to Existing Contact" opens an iPhone's Contacts list, which can then be used to access device Photos, if so configured.

    Rodriguez told AppleInsider the 3D Touch loophole is also applicable to Siri results for WhatsApp friends list searches.







    There are a few caveats to successfully leveraging the apparent security flaw. Specifically, a device owner must have previously granted Siri access to their Twitter account, photo library or related app either by conducting a Siri search themselves, or manually configuring service permissions in Settings. When a user first asks Siri to conduct a Twitter search, the assistant will seek permission to access that device's Twitter account, as indexed in device settings. In order to verify ownership, Siri requires account owner confirmation via passcode or Touch ID.

    Those concerned about potential intrusions can disable Siri's Twitter integration by navigating to Settings > Twitter and switching off Siri. Doing the same in Settings > Privacy > Photos cuts Siri access to an iPhone's photo library. Alternatively, Siri itself can be completely disabled.

    The workaround is active in Apple's latest iOS 9.3.1 update.





    4-5-16

    Source

  2. Ads

    Posts
    Many

Remove Ads

Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Similar Threads

  1. Replies: 0
    Last Post: 07-10-2015, 02:48 PM
  2. Replies: 0
    Last Post: 04-03-2014, 12:06 PM
  3. Replies: 0
    Last Post: 02-15-2014, 12:10 PM
  4. Replies: 2
    Last Post: 05-31-2013, 05:22 PM
  5. Replies: 0
    Last Post: 04-06-2012, 08:20 PM

Contact Us
Back to top