Apple has quickly put the kibosh on one of the latest bugs found in its iOS mobile software.
Demoed Monday in a YouTube video, the flaw enlisted Siri to run a Twitter search to look for any results with an email address. On an iPhone 6S or 6S Plus, you could then “force tap” the email link to access the pressure-sensitive 3D Touch menu and choose the option Add to Existing Contact, giving you access to all contacts on the phone. You could also select Create a New Contact and add a photo to that contact, thus providing access to all photos stored on the phone.
On Wednesday Apple confirmed to CNET that the vulnerablilty was repaired. Siri is server-based, so the flaw was corrected on the company’s end, eliminating the need for iPhone users to install yet another update to iOS.
The problem, which had existed since iOS 9
arrived in September, shows how challenging it can be for a company to test for every potential weakness when rolling out new software. Flaws that allow someone to skirt your lock screen and access certain types of content have been especially frustrating since they undermine the whole idea of securing your phone with a passcode.
How did Apple squash this particular bug? Previously, you could tell Siri to run a search on Twitter without unlocking your phone. Now if you ask Siri to run a Twitter search from the lock screen, you’re prompted to enter your passcode.
The flaw did require a specific set of conditions. Since it relied on 3D Touch, only the iPhone 6S and 6S Plus were affected because they’re the only iPhones equipped with that feature. You also had to have granted Siri access to your Twitter and Photos apps.
Update, 7:00 a.m. PT: Adds confirmation from Apple.
(Via The Washington Post)