A new exploit has been discovered in iOS 7.1.1 that lets anyone access your full contacts list and send an email, text or call — just by chatting with Siri.
Egyptian neurosurgeon and part-time hacker Sherif Hashim, apparently the first to discover the security hole, posted a YouTube video detailing the steps of the exploit.
Check out how easy it is for a prankster to hack your phone in the video below:
To gain access to a user’s contact list, all you have to do is call up Siri and give a single-word command like “Call,” “Text” or “Email.” Siri will then ask you to specify who you want to speak to, at which point you can tap to edit your previous command. Typing in a single letter will make Siri clarify your request, giving you access to the “Other…” option, which pulls up all your contacts.
Pulling off the exploit requires a bit of verbal finesse with Siri, but we were able to duplicate it in seconds on an iPhone 5s running iOS 7.1.1. Our friend Tal has also pointed out that the Tap to Edit exploit can be used to call any number worldwide from the homescreen.
It’s been a while since a bug has let would-be attackers circumvent the passcode, but luckily you can easily prevent an attacker from pulling up info by disabling Siri on the lockscreen.
We asked Apple if they’re aware of the bug and if a patch might be forthcoming. We’ll update you as we learn more, but you might want to disable Siri on your homescreen if you’re paranoid about someone snooping on your contacts and sending fake texts from your phone.