Apple has fixed a serious vulnerability in iOS that allowed any user to access the contacts and some other information on some iPhone models when they were locked.
The bug was the result of a problem in the way that iOS 9.3.1 handled some commands through Siri. In some specific cases, an attacker with access to an iPhone 6 or 6 Plus could ask Siri to search in an app such as Facebook or Twitter for a name or username. Then, using the 3D touch feature, which allows for different kinds of finger presses, the attacker could open up a separate menu and add the user to the contacts on the phone. That action would give him access to the phone’s contacts and other limited information.
The vulnerability was discovered by researchers at Vulnerability Lab, which disclosed it to Apple. The vendor made a fix on their side Wednesday that prevents the attack from working.
“The bug is located in the inner app @ link GET method requests of an installed application. Remote attacker can use siri to request an available runtime app of the task. The interaction is allowed without passcode. After that the attacker surfs over the for example facebook, twitter or yahoo app and search for `@[TAGS]`. The attacker clicks the add tag and holds the button. The new 3d touch sensor of the apple iphone 6s and plus models allows new interactions by processing to push hard the basic context menu becomes visible to the attacker. In the available context menu it is possible to choose to add another new contact,” the vulnerability report says.
By using this technique, an attacker could bypass the passcode lock on a vulnerable iPhone. The researchers who discovered it said it could have resulted in the leak of sensitive user information.
“Exploitation of the passcode protection mechanism bypass vulnerability requires a low privileged ios device user account and no user interaction. Physical apple device access is required for successful exploitation,” the bulletin says.
“Successful exploitation of the vulnerability results in unauthorized device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app, mailbox, phone settings or access to other default/installed mobile apps.”