A new “feature” of iOS 7.1.1 has been discovered by Egyptian Neurosurgeon Sherif Hashim. With a simple work-around, Siri will help anyone access your contacts, even if your phone is locked. The bug allows a user to launch Siri, and say “Call”, “Text” or “Email”, and then after using the keyboard to type a single letter, the user is prompted to “Clarify, at which time selecting “Other…” will provide them with the contact list on the device.
Beyond possibly revealing confidential client lists for attorneys (that keep clients in their contacts), once the contact list is seen, Siri can be used to “Text”, “Call” or “Email” anyone that was identified from browsing your contacts. This means that the malicious user can send messages as YOU to contacts on your device!
For those that want to prevent themselves from being a victim of this vulnerability, disable the use of Siri on the lockscreen. This can be done by going into the Settings App, choosing “Passcode” (or on iPhone 5s, “Touch ID & Passcode”), then disabling Siri access in the “Allow Access When Locked” section. No word on when a fix will be released.
For more information, see Gizmodo.