Just out, and it didn’t take long, there is a security flaw in Apple’s new iOS 7 operating system that could enable unauthorized users to send messages or make social network postings on an iPhone owner’s behalf even with a locked phone, researchers said.
The vulnerability enables an attacker to use the SIRI personal voice assistant to crack a locked iPhone and execute tasks that would normally require user permission, such as sending email or posting to Facebook, said researchers at application security vendor Cenzic.
Cenzic researchers said they were able to use a locked iPhone, which belonged to a separate third party, to send email and texts, make calls, access contact information, and make updates to Facebook and Twitter, all with the user’s accounts and without the user’s knowledge.
“Imagine someone stealing your iPhone and — without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you,” said Tyler Rorabaugh, vice president of engineering at Cenzic, in a blog.
The researchers posted a video demonstrating the ability to use SIRI on a third party’s locked iPhone to make an update on the third party’s Facebook page. They also reported the ability to collect and steal the personal information of contacts stored in the iPhone.
With over 9 million iPhone 5S or 5Cs sold in the first weekend of availability, it is possible to see where this could be a problem.
The flaw also works on some tasks under iOS 6, the researchers said. End users should take care not to let others use their iPhones, and may want to consider disabling SIRI until Apple fixes the problem, the blog said.