An online video of a newly discovered bug in Apple’s iOS 9.3.1 operating system is making the rounds,
showing that it has been possible to access an iPhone user’s contacts and photos without entering a
passcode or scanning a fingerprint.
It does require a very particular set of circumstances. For one, you have to allow Siri to access your
Twitter account, which requires your passcode or fingerprint. You also have to have a phone that uses
Apple’s pressure-sensitive Force Touch, namely an iPhone 6s or iPhone 6s Plus.
Finally, at least according to the video, you have to find a tweet that contains an email address (or
something formatted like an email address) in order to use 3D Touch and call up the phone’s contacts
If all those requirements are met, you simply have to push down on the part of the message containing
the address and call up a menu to add a new contact or edit an existing contact. Doing so takes you to the
phone’s address book. If you opt to edit a photo in an existing contact or add one to a new contact, you
can also choose to use a photo from the phone’s photo album – all without a passcode.
While it’s perhaps unlikely that someone would come across this bug accidentally, it could be easy to
trigger if you’re looking for it. Someone could tweet an email address from their account for this purpose
or, as I did to duplicate this bug, could simply do a search for something like “outlook.com” or
“gmail.com” to find a message that then allows access to the contacts menu.
Disabling Siri’s access to Twitter did not appear to fix the problem; disabling Siri, of course, would.
An Apple spokeswoman said the problem had been fixed Friday morning. Most consumers should have a
fix in place, without the need for a software update, she said.
Still, the YouTube channel that posted the video showing the bug has several other clips pointing out
ways to get into certain parts of the iPhone without having to enter a code or fingerprint on Apple’s lock
screen. Many of these techniques involve Siri – though some of these too have since been fixed.
The Twitter account associated with the YouTube channel belongs to a user going by the name of Jose
Rodriguez. The user has called for Apple to launch a “bug bounty” program that would pay well-
intentioned hackers to find problems like this and bring them to the company’s attention.