An online video of a newly discovered bug in Apple’s iOS 9.3.1 operating system is making the rounds, showing that it has been possible to access an iPhone user’s contacts and photos without entering a passcode or scanning a fingerprint.
It does require a very particular set of circumstances. For one, you have to allow Siri to access your Twitter account, which requires your passcode or fingerprint. You also have to have a phone that uses Apple’s pressure-sensitive Force Touch, namely an iPhone 6S or 6S Plus.
Finally, at least according to the video, you have to find a tweet that contains an email address (or something formatted like an email address) in order to use 3D Touch and call up the phone’s contacts menu.
If all those requirements are met, you simply have to push down on the part of the message containing the address and call up a menu to add a new contact or edit an existing contact. Doing so takes you to the phone’s address book. If you opt to edit a photo in an existing contact or add one to a new contact, you can also choose to use a photo from the phone’s photo album – all without a passcode.
While it’s perhaps unlikely that someone would come across this bug accidentally, it could be easy to trigger if you’re looking for it. Someone could tweet an email address from their account for this purpose or, as I did to duplicate this bug, could simply do a search for something like “outlook.com” or “gmail.com” to find a message that then allows access to the contacts menu.
Disabling Siri’s access to Twitter did not appear to fix the problem; disabling Siri, of course, would.
An Apple spokeswoman said the problem had been fixed Friday morning. Most consumers should have a fix in place, without the need for a software update, she said.
Still, the YouTube channel that posted the video showing the bug has several other clips pointing out ways to get into certain parts of the iPhone without having to enter a code or fingerprint on Apple’s lock screen. Many of these techniques involve Siri – though some of these too have since been fixed.
The Twitter account associated with the YouTube channel belongs to a user going by the name of Jose Rodriguez. The user has called for Apple to launch a “bug bounty” program that would pay well-intentioned hackers to find problems like this and bring them to the company’s attention.
(c) 2016, The Washington Post · Hayley Tsukayama