Siri Will Let Anyone Access Your Contacts from the Lock Screen

openlockA new “feature” of iOS 7.1.1 has been discovered by Egyptian Neurosurgeon Sherif Hashim. With a simple work-around, Siri will help anyone access your contacts, even if your phone is locked. The bug allows a user to launch Siri, and say “Call”, “Text” or “Email”, and then after using the keyboard to type a single letter, the user is prompted to “Clarify, at which time selecting “Other…” will provide them with the contact list on the device.

Beyond possibly revealing confidential client lists for attorneys (that keep clients in their contacts), once the contact list is seen, Siri can be used to “Text”, “Call” or “Email” anyone that was identified from browsing your contacts. This means that the malicious user can send messages as YOU to contacts on your device!

For those that want to prevent themselves from being a victim of this vulnerability, disable the use of Siri on the lockscreen. This can be done by going into the Settings App, choosing “Passcode” (or on iPhone 5s, “Touch ID & Passcode”), then disabling Siri access in the “Allow Access When Locked” section. No word on when a fix will be released.2014-05-07 09.59.23

For more information, see Gizmodo.

Another Major https Vulnerability in iOS 7.1

It seems that the new update Apple released Tuesday for iOS was more important than originally thought. iOS 7.1.1 patches a vulnerability that would allow a “man-in-the-middle” to intercept encrypted data that is being transmitted using SSL over https connections.

According to Ars Technica, this bug allows a third party to open two connections. One would be the connection to the site you believe you are accessing, while the second connection would also send your data to a third party without your knowledge. This bug effects any device running iOS 7.1 or earlier.

It is recommended that this update be installed on your devices immediately. To install the update open ‘Settings’, then ‘General’, then ‘Software Update’.