New iOS 9.3.1 exploit lets anyone access your photos and contacts without a passcode
A longtime iOS tinkerer has just discovered a frighteningly easy way to view an iPhone’s photos and contacts list without a passcode or fingerprint.
On his YouTube channel, user Videosdebarraquito showcases an all new exploit that allows anyone with access to a locked iPhone 6s or 6s Plus the ability to view the phone’s contact list and photo albums. Check out the video demonstration of the exploit:
If that was a little too fast for you to catch, here are the steps:
Activate Siri, either with the home button or by saying “Hey Siri”
Ask Siri to search Twitter
When Siri asks what to search for, say “@gmail.com” or the second half of any other email address.
When Siri produces the list of results, find a tweet with a full email address in it.
Click the tweet and then, using the 3D touch of the iPhone 6s and 6s Plus, firm press on the email address so that the pop-up window appears.
Click “Add new contact.” From here, you’ll be able to click the photo box to view all the photos on the device. Alternatively, you can click “Add to existing contact” to browse all the other contacts saved on the device.
It’s important to note that this exploit is only possible using the 3D touch pop-up feature and, therefore, is only doable on the iPhone 6s and 6s Plus. The exploit works with iOS 9 through the newly released 9.1.3.
Additionally, while I was able to replicate this glitch with ease on my iPhone 6s Plus running iOS 9.3.1, it took a considerable number of tries to get it to work the first time.
At first, the iPhone repeatedly asked me to enter my passcode after I asked it to search Twitter. Eventually, however, the phone allowed me to search without a passcode, seemingly at random, and it hasn’t asked me for my passcode again ever since. Videosdebarraquito told me that others had similar issues at first, but that it eventually worked.
After further testing, this appears to be linked to whether or not the user has ever allowed Siri to access their Twitter account previously. You can access these preferences by going into your Settings, selecting Twitter, and then toggling the “Siri” setting off. This will prevent Siri from accessing the social network, which is required for the glitch to work.
Update 4:12pm CT, April 5: Apple has rolled out a fix for this exploit, automatically correcting it without the need to manually update your device.