APPLE HAS BEEN QUICK to fix an issue that let anyone access contacts on photos on a locked iPhone 6S or 6S Plus.
In a statement to the Washington Post, Apple confirmed that the bug was fixed, without users' having to update their software. Again.
Just days after releasing iOS 9.3.1 to fix the link-crashing glitch plaguing iPhones and iPads, it was discovered that a bug in the software allowed anyone to access photos and contacts on a locked device.
A YouTube video (below) shows the vulnerability in action and reveals that all a hacker needs to pilfer contacts from a passcode-locked iPhone 6S or 6S Plus is access to Siri and 3D Touch.
The hack proved worryingly easy to execute. You simply fire up Siri by pressing the home button or the 'Hey Siri' command, and ask Apple's mouthy digital assistant to initiate a Twitter search. If the results include contact details such as an email address, using 3D Touch on the contact information will bring up the Quick Actions Menu and allow you to add it to an existing contact - in turn offering access to the iPhone's entire contacts list.
What's more, by selecting a contact and choosing to add an image, the iPhone's entire photo library can be accessed.
As Siri could carry out the command in question only if given permission to access Twitter account information, as well as contacts and photos, a quick fix was discovered. To revoke these permissions, head to Settings > Privacy and switch off Siri's access to Twitter and Photos. To stop it accessing your contacts, you'll need to disable Siri's lock screen activation by heading to Settings > Touch ID & Passcode.
The link-crashing glitch and new Siri and Touch ID flaw aren't the only problems that have bothered early iOS 9.3 adopters.
The firm was forced to release yet another update to fix a bug plaguing users of older Apple devices who reported that the update turned their iPhone and iPad into an expensive lump of metal and glass. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
No comments:
Post a Comment