Siri search bug allows others to get into your Contacts and Photos without knowing the passcode

posted by Alan F. / Apr 05, 2016, 12:00 AM

Siri search bug allows others to get into your Contacts and Photos without knowing the passcode

A flaw has been discovered on the iPhone's virtual voice-activated personal assistant Siri. With this bug, someone in possession of your iPhone could get into your Contacts or your Photos without having to punch in a passcode. The bug affects Apple iPhone 6s and Apple iPhone 6s Plus models that are set up to allow Siri to search their Twitter account and Photos app.

To see the flaw in action, open Siri and ask Siri to do a Twitter search. If the search results contain data found in contacts, like an email address, use 3D Touch to click on "Add to Existing Contact." Not only does that bring up the Contacts list, that list can also be used to access the Photos on your phone.

You can prevent this from happening to you by disabling Siri's Twitter and Photos integration. All you need to do is go to Settings > Twitter and turn off Siri. Once that is done, go to Settings > Privacy > Photos and again, disable Siri.

We should point out that the first time you use Siri to search Twitter, you will have to verify that you own the phone via a correct passcode entry, or by using Touch ID. Once that has been completed, those knowing about the bug will be able to break into Contacts and Photos using the flaw as seen in the video below.

source: videosdebarraquito via AppleInsider

Related phones

View Full specs

PhoneArena Rating:

9.3

Read Full Review

User Rating:

9.4

Based on 31 Reviews

Display 4.7" 750 x 1334 pixels

Camera 12 MP / 5 MP front

Processor Apple A9 APL0898, Dual-core, 1840 MHz

Storage 128 GB

Battery 1715 mAh(14h 3G talk time)

View Full specs

PhoneArena Rating:

9.2

Read Full Review

User Rating:

9.2

Based on 21 Reviews

Display 5.5" 1080 x 1920 pixels

Camera 12 MP / 5 MP front

Processor Apple A9, Dual-core, 1840 MHz

Storage 128 GB

Battery 2750 mAh(24h 3G talk time)

FEATURED VIDEO

Options

28 Comments

1. RichardYarell

Posts: 67; Member since: Mar 24, 2016

Barf on Apple for this

posted on Apr 05, 2016, 12:07 AM 3

30. AlikMalix unregistered

UPDATE::::: Apple already fixed!!!! No need a patch - it was done server-side. http://iphone.appleinsider.com/articles/16/04/05/apple-fixes-ios-exploit-that-granted-access-to-iphone-6s-contacts-photos

posted on Apr 05, 2016, 11:51 PM 0

2. Wiencon

Posts: 2278; Member since: Aug 06, 2014

Oh man here we go again

posted on Apr 05, 2016, 12:39 AM 2

11. AlikMalix unregistered

This is not possible on devices without 3D touch.. this is not a Siri exploit, it's a 3D Touch thing.... This stuff is easy to find on iOS (although this stuff exists on all android devices, PC's, and anything with computer code - that's just the nature of code, because it's written by men)... But iOS devices are very similar to eachother, so it's easy to spot and reproduce this - android are all different, so when you find an exploit in let say LG G5 - no one gives a crap to report it... Anyways, confident that Apple will patch this, very sorry that most android users are still vulnerable to Stagefright!!!

posted on Apr 05, 2016, 4:12 AM 1

13. Ordinary

Posts: 2454; Member since: Apr 23, 2015

Stagefright is fixed even on S2 long time ago. At the same time iOS has 4 times more vulnerabilities than Android!

posted on Apr 05, 2016, 5:02 AM 3

14. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

last report it was something like 280 vs 160...not really 4 times but yes ios had more.

posted on Apr 05, 2016, 6:22 AM 1

15. MrElectrifyer

Posts: 3960; Member since: Oct 21, 2014

Sources later than this showing 375 vs 130? Do share... http://www.dereferer.org/?http%3A%2F%2Fbit%2Ely%2F1SswEXw

posted on Apr 05, 2016, 7:07 AM 0

19. AlikMalix unregistered

oh man, I just had this conversation already. Look at the article and go to the sourse website: these are a list of volnurabilities that were patched not volnurabilities that are still in the wild. Angroid may have a lot more than what's listed, but if Google did not address them then they wouldn't be on threat list. I gotta explain this to these kids again since they prefer to look at pictures than to read. The article that someone posted sources the numbers from a website that analyzes updates and patches for fixes that are included in those. Yes Apple patches more volnurabilities that android based on these numbers - but here's the kicker these represent holes that were already patched during the year by Apple or Google. You can also confirm this because every volnurability listed is described as "...before ios9.1, or before ios8.3, or before ios7.2" and so on. The other kicker is it describes android volnurabilities based on versions of android, like so " android 6.x and older, android 5.x and older, android 4.4 and older" and so on. Now consider which platform has nearly 80% running latest update and which platform has only 3% running latest update. You'll quickly realize that android users are the ones sitting ducks with Unpatched holes because they never got updates for newly discovered volnurabilities. It's not how often you fall, it's haw fast you get up. Apple patches thes within days now, android is still laying on their face. @ordinary, Google may have made a fix for stagefright, but there are hundreds of millions still waiting for an update.

posted on Apr 05, 2016, 10:09 AM 0

23. marorun

Posts: 5029; Member since: Mar 30, 2015

Sure but reality is there is usually more total hole in ios than on android. Patched or not the total is much more on ios than android ( thanks got they patch it lol ) You mean 80% of ppl going to apple app store use latest version right? Because in reality easily 50% of iphone user i serve at work dont even install app on the phone they use it only for call , text and email. ( to be truthfull same apply to android phone user ) So its easy to play with number like this. As for stagefright like the name say its feel like a staged not real vulnerability as i never had 1 client thats got it so its like a ghost issue thats never happen to anyone strange..

posted on Apr 05, 2016, 11:39 AM 1

27. AlikMalix unregistered

You did not read or did not comprehend what I wrote - those holes reported are the patched ones. I'll really simplify it for you: For all we know android and apple both had 1000 holes each - Apple patched 300 of them and android patched only 150. In addition Apples updates reached 80% adoption android 3%. Come on, why can't you understand what is talked about. There are more holes on android and iOS than talked about on that sourse website - these are just the ones caught and patched. It is impossible to catch as many holes on android devices because there are so many different citation - but they are there! Malware isn't designed to be noticed when someone has it. And EVERYONE I know installs loads of apps on any Device they have. I'm not sure where "your store" is located that 50% of iPhone users don't install apps and only use it for call sounds far fetched. I'm not playing numbers, the article mr electrocuted linked to does NOT reveal what these numbers mean - they do not mean that this is what is actually outthere, but that they analyzed the patches that Apple and Google has sent out and that's what they see being patched - that might as well mean that Google does not patch all their vlnurabliities often enough to insure they're all exterminated...

posted on Apr 05, 2016, 12:46 PM 0

17. PhoneCritic

Posts: 1354; Member since: Oct 05, 2011

Nothing is invulnerable. Not Android not iOS so do not fool yourself into a false sense of security that iOS is perfect. As you stated it is all coded by men- Both iOs and Android so pointing out that one is more secure than the other is false.

posted on Apr 05, 2016, 8:39 AM 0

20. AlikMalix unregistered

Yea but if there's a volnurability - I get my patch in days, vs android users who sometimes wait years.

posted on Apr 05, 2016, 10:14 AM 0

24. marorun

Posts: 5029; Member since: Mar 30, 2015

Some vulnerability thats got patched in 9.3 existed since before ios 5.0 lol so dont go there Alik. Those website thats you say give the patched number of vulnerability also usually say since what version those vulnerability are present..

posted on Apr 05, 2016, 11:39 AM 0

28. AlikMalix unregistered

Link to me where it actually says "since before 5.0"?

posted on Apr 05, 2016, 5:02 PM 0

21. natypes

Posts: 1110; Member since: Feb 02, 2015

hahah you're so salty

posted on Apr 05, 2016, 10:15 AM 0

4. Master_Yoda

Posts: 4; Member since: Sep 12, 2015

Techie's essay I can sense

posted on Apr 05, 2016, 12:42 AM 6

6. TheWeasel

Posts: 403; Member since: Dec 26, 2014

The dark side of the force has clouded your vision, my friend.

posted on Apr 05, 2016, 1:39 AM 2

5. Arch_Fiend

Posts: 3951; Member since: Oct 03, 2015

When I try to do a twitter search siri tells me to unlock my iPhone, guess this doesn't really work. Never mind after a moment siri ask permission to use my twitter account and a simple yes gets you though without unlocking. SMH Apple.

posted on Apr 05, 2016, 12:48 AM 0

7. twens

Posts: 1177; Member since: Feb 25, 2012

9.3 is working fine I just hate the fact that Apple is becoming too known with so much update numbers. I mean after 9.3 you still have to create more bags to jump to 9.4 huh? Meanwhile android is on 6.0.1 and they're doing fine with not much major problems.

posted on Apr 05, 2016, 1:43 AM 1

8. ibend

Posts: 6747; Member since: Sep 30, 2014

daily OS update = daily new bug added

posted on Apr 05, 2016, 1:56 AM 1

9. QuasarExod

Posts: 102; Member since: Mar 29, 2016

The OS with most vulnerabilities.

posted on Apr 05, 2016, 3:26 AM 4

10. AlikMalix unregistered

The OS with most vulnerabilities... that are patched!!! (fixed that for you). Versus Android that still has MOST vulnerabilities exposed due to inability to distribute latest updates....

posted on Apr 05, 2016, 4:03 AM 1

26. marorun

Posts: 5029; Member since: Mar 30, 2015

But many thats dont get patched for years... Here some example : CVE-2011-2391DoS 2013-09-19 : found 2015-11-30 : fixed Complete The IPv6 implementation in the kernel in Apple iOS before 7 allows remote attackers to cause a denial of service (CPU consumption) via crafted ICMPv6 packets. Second example : CVE-2014-1266 2014-02-22 : found 2015-07-10 :Fixed The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step. So as we said before apple not better they do look better because they do update after update but end result is you might have much more vulnerabilities on your iphone than you think and as you have a false sense of security ( thats you should NEVER have no matter what OS and brand you use! ) you leave yourself open.

posted on Apr 05, 2016, 11:55 AM 2

29. AlikMalix unregistered

Once again, these are fixed, no one knew about them until this website people analyzed apples update software to list it on their site. Apple saw it and patched it, the after that the website posted it. Just because android has less patched holes, does not mean that they patched them all - they just patched the ones they found - Apple is better at finding their own volnurabilities than android within its own software due to.. (dare I say the "F" word)... fragmentation.