Apple has reportedly fixed a security flaw in the iOS operating system that would allow attackers to be able to bypass passcode lock screens on iPhone 6S and 6S Plus that are running version 9.3.1 of iOS. The bypass would have allowed malicious parties to be able to access the address book and photos of a targeted device, which could expose a lot of private data.
German security firm, Evolution Security, were responsible for discovering the bypass, which takes advantage of the integration of Siri with apps such as Twitter or Facebook, as well as the new 3D Touch feature that is included only in the iPhone 6S and 6S Plus. Even while the device is locked, an attacker would be able to request information on @ tags from Twitter, Facebook, and Yahoo. From there, the 3D touch’s hard push feature can be used to bring up the context menu for a string such as an email address. This menu provides the ability to add the data to a contact in the phone’s address book and from there, by accessing the choice to change user pictures, the photo gallery can be launched.
According to the Washington Post, the vulnerability was patched by Apple on Tuesday without users needing to install a software update. Considering the high level of security on the iPhone that led to Apple’s protracted battle with the FBI, it is surprising that so much user data can be exposed by a flaw in the lock screen, which is often the first and last line of defense for the security of the data on the device.