It seems the iOS 9.3 miseries continue for iPhone users. Since releasing iOS 9.3 three weeks ago, Apple has released a new build to resolve an issue that caused older iPhones and iPads to be bricked if the user couldn’t remember their original Apple ID details and just a few days ago the company rolled out iOS 9.3.1 to fix an issue that caused Safari, Notes and the Mail app to freeze when a web link was clicked.

Now, a bug that affects how Siri handles a Twitter search query has been discovered in iOS 9.3.1.

The bug affects only iPhone 6s and 6s Plus handsets — it requires 3D Touch functionality — running iOS 9.3.1 and allows unauthorized users to bypass the device’s passcode and gain access to Contacts and Photos data.

Jose Rodriguez, also responsible for the discovery of a similar lock screen bug in iOS 9 last September, published a video to YouTube showing how this new iOS 9.3.1 vulnerability can be exploited.

How it works

Invoking Siri with a long home button press or via an iPhone’s “Hey Siri” feature, an unauthorized user can ask Siri to perform a Twitter search. If there is an email address in any of the search results, the users can pull up a contextual menu via 3D Touch with options to send an email and add and modify contact information.

Next, it’s as simple as tapping “Add to Existing Contacts” in the 3D Touch Quick Actions menu to open the device’s Contacts list. From the Contacts list the device Photos can then be accessed.

See it in action below:

Before you panic

It’s not all that straightforward though; for this to work the owner of the iPhone must already have granted Siri access to their Twitter account, photos, and other apps by performing a Siri Twitter search themselves. Alternatively, they could also grant Siri permission in their iPhone settings.

The first time a user performs a Siri Twitter search, Siri will ask for permission to access the user’s Twitter account and confirm that they are the account user by inputting the passcode or via Touch ID.

How to stop it (until Apple fixes it)

If you’re worried that you might fall victim to someone accessing your photo library in this way without your permission, there are a few steps you can take, albeit at the cost of losing the very conveniences feature like Siri and 3D Touch are designed for.

• Revoke Siri’s access to your Twitter account: go to Settings > Twitter > toggle Siri OFF.
• Revoke Siri’s access to your Photos app: go to Settings > Privacy > Photos > toggle Siri OFF.
• Disable Siri on the Lock screen: go to Settings > scroll down to Touch ID & Passcode > enter your passcode >  scroll down to the Allow Access When Locked > toggle Siri OFF.
• Disable 3D Touch: go to Settings > General > Accessibility > 3D Touch > toggle 3D Touch OFF.

Apple released iOS 9.0.2 to fix the previous Lock screen vulnerability soon after it was discovered and should do the same for this instance. Keep an eye out for any iOS updates in the coming days.

Image credit: Ervins Strauhmanis, Flickr