Siri Can Share Messages From Third-Party Apps On Locked Phones

Siri

When iOS 11 debuted, Apple allowed iPhone users to have more privacy by letting them hide notifications on their lock screen until they unlocked their phones with Face ID or Touch ID. But that security measure can apparently be circumvented through Siri, Mashable reported.

To learn the contents of notifications — such as messages sent through third-party messaging platforms —someone in possession of an iPhone could simply ask Siri to read them. Through a test, Mashable was able to get Siri to read hidden messages from WhatsApp and Signal on the iPhone X and the iPhone 8 Plus models running the newest iOS.

According to Mac Magazine, that vulnerability also applies to devices that run iOS 11.3 beta. In addition, the flaw affects other apps, such as Telegram and Skype. But Apple’s own messaging app does not appear to have that issue.

In 2016, Apple iPhone users were reportedly being tricked into spilling the beans on all their personal information, including text messages, emails, browsing history and photos, and they had Siri to blame.

According to a report by Forbes at the time, there were several steps involved in tricking Siri into divulging information on the phone. The first thing bad guys had to do was determine the phone number of the iPhone, which Siri can provide. They then had to place a phone call from another phone, which was answered with a text reply.

Instead of entering a message, Siri was asked to engage in some action, such as enabling VoiceOver. The feature allowed people to interact with iOS via gestures. This security hole could have allowed hackers to steal credit card data, infiltrate backups and access Apple’s Keychain password manager, where passwords and other authentication data is stored.

While that report may not have sent Apple iPhone users running to the hills, there were growing indications that Apple was an increasing target for hackers. In Sept. 2016, Elcomsoft, a Moscow-based security company, said iOS 10 was very susceptible to a “brute force attack,” where hackers automatically might have tried a continuous number of password combinations until they unlocked the right one.