The flaw was first discovered and posted online by YouTube user videosdebarraquito. The video is narrated in Spanish, but we’ve embedded a video explaining the flaw in English below. It relates to a bug in the latest version of iOS 9.3.1, which shipped only in the past week. It involves using a mixture of Siri and 3D Touch to gain access to a user’s contacts and photos from a locked iPhone 6s or iPhone 6s Plus.
To get access to a user’s contact and photos, he begins by asking Siri, using the “Hey Siri” function, to use Twitter from the iPhone’s lock screen. The results will include a Twitter user’s contact details, such as an email address. By force pressing on the email address using 3D Touch and then tapping “Add to Existing Contact,” the iPhone’s Contacts list will appear, revealing all the contacts on the device. Tap a contact and then their photo will cause the iPhone’s full photo library to also appear.
Note: Since 3D Touch is required for this hack, only the iPhone 6s and iPhone 6s Plus are vulnerable. Users concerned about this vulnerability can disable Siri in their Settings app until Apple releases a patch for the flaw.