Early this morning, we told you about a new iPhone 6s passcode bypass vulnerability that allowed handlers to access photos and contact details without needing to verify with a passcode or Touch ID. The Lock screen vulnerability was made possible by Siri, and let users bypass the security provided by the Lock screen passcode and/or Touch ID.
If there’s a positive spin to put on such a vulnerability, it’s that fixes can be implemented server side without the need for an iOS update. Apple today has fixed the passcode bypass method by forcing Siri to request your Lock screen passcode whenever a user tries to search Twitter via Siri while at a secured Lock screen
If you ask Siri to “Search Twitter” while at the Lock screen, you’ll now receive a response that says “you’ll need to unlock your iPhone first.” Previously, Siri would simply ask what the user would like to search for. The fix, which was apparently implemented sometime today, prevents handlers from accessing sensitive photos or contact information without first entering their passcode.
It also seems that Apple has fixed another bug, one much less nefarious, which let you activate Night Shift Mode while Low Power Mode is enabled. That trick, too, relied on Siri. Now, when you ask Siri to enable Night Shift while Low Power Mode is enabled, you’re met with a response that says: “In order to turn on Night Shift, I’ll have to turn off Low Power Mode. Shall I continue?”
Previously, users were able to enable both Night Shift and Low Power Mode by means of Siri.
Thanks to Gary and Peter for the tips.
FTC: We use income earning auto affiliate links. More.
These security flaws happen way too often.
There are so many different variables that Apple has to test as well as rely on the developer community to test. I applaud Apple for issuing a fix so rapidly.
Nonsense. Did you actually read the procedure and machinations it took to expose the issue?
Spoken like a person that has never written a line of code.
So now you must have a bachelor in computing sciences to make a comment about security flaws in a device that I own? K.
Charlypollo people learn coding in high school these days and more often even at a younger age. Whether a person has manually coded in swift, html, php, c++, c# or Visual Basic one thing all of them will know is the complexity of debugging – and it is a tremendous chore which always results in misses when you have tens of thousands of lines of code to go through
You may own a device but that doesn’t make you knowledgable when it comes to the processes of programming
Some people will never get the meaning “No software is 100 percent bug free.”
Actually you only need to have heard of someone who has written a line of code, or just not be a complete jerk wad, to know that there will always be bugs.
Why no night shift on low power mode? Does night shift consume extra juice?
Doubtful as it only changes the hue of the screen likely just included with the other disabled features erroneously.
Well I think it must. Older devices that got the update didn’t get night shift. So there must be some extra processing power required to change the color of the screen.
Really I can’t believe you people think this was a bypass..it’s the same as the morons who thought they could ask Siri the time to get past the passcode…you are pushing down the home button to activate Siri..if you are using a finger linked to your Touch ID it it automatically unlocking the phone for eas of access. If you were to try this with hey Siri or a finger no linked to Touch ID it would not work and would ask you to unlock your phone.
Dude. Did you even watch the video? You couldn’t have. Because if you had, you wouldn’t have commented calling people morons.
Didn’t watch the video did you?
Watch the video. Anyone can hold down the home button on your device to activate Siri. Siri works without asking them your passcode or unlocking the device.
Certain features of Siri are disabled for security reasons until *you* unlock your device.
This flaw enabled someone to bypass those restrictions; now, that flaw is fixed.
Trust me, if it was user error, Apple would be quick to point it out. They are not too shy to accuse people of using their devices wrongly. If Apple acknowledged the bug and fixed it, then it is definitely genuine.
Someone must be fired!
Wait, so Apple can allow Siri to bypass the lock screen server-side? Isn’t that antithetical to the whole encryption argument?
The dev process is the root cause of the flaw. You can make excuse after excuse, but to state that flaws happen because there are too many lines of code to test and debug is unacceptable.
no it’s not, it’s normal. If you’re going to think like you just wrote, then you may as well delete any accounts you have online, throw away all your gadgets and technology that you have. All have software which have bugs. That’s the point of OS and firmware updates.
You will find it impossible to find a piece of tech which uses software which is bug free. Most bugs in any product are only revealed after the public have used the product – because everybody uses their product differently there are many more variables at play than the limited number of employees at Apple (or any tech company for that matter) can freely think of.
Why don’t you try developing an OS and tell me after 2 years if any bugs were found by anyone other than yourself. Only then do you have the right to judge.