Apple has fixed an exploit discovered in iOS 9.3.1 this week that leveraged Siri to gain access to photos and contacts on an iPhone 6s or 6s Plus without entering a passcode. According to The Washington Post, an unnamed Apple spokesperson confirmed the exploit had already been patched this morning:
An Apple spokeswoman confirmed that the bug was fixed Tuesday morning. Most consumers should have a fix in place — without the need for a software update.
Demonstrated in a YouTube video that began doing the rounds on Monday, the exploit involved using the voice-activated "Hey Siri" feature on the lock screen to ask Siri to search Twitter for an email address. Once an email address was found, users could then 3D Touch the address in the tweet and tap "Add to existing contact" in the context menu to gain access to the phone's contacts. Photos could then be accessed by choosing a contact and tapping "Add Photo."
While it's certainly a convoluted process, the exploit did allow access to potentially sensitive contact information and photos without the need for a passcode. Now, however, if you ask Siri to search Twitter (the first step in the process), the digital assistant will now prompt you to enter your passcode.
The patch appears to have been applied on Apple's end, so there's no need to download a new update.