A security flaw in Apple’s newest iPhones lets anyone bypass the phone’s passcode and access personal information.
The bug, posted on the Full Disclosure mailing list, is limited to the iPhone 6S and 6S Plus, which land with the new 3D Touch feature, and is present on iOS 9.2 and later — including the latest iOS 9.3.1 update, released last week.
Anyone with physical access to an affected phone can access the user’s contacts, photos, text and picture messages, emails, and phone settings, according to the disclosure.
ZDNet was not able to independently verify the flaw at the time of writing.
Benjamin Kunz Mejri, who found the bug, reached out to Apple last month but did not hear back within a two-week window. He said that the vulnerability can be temporarily fixed by disabling Siri from the lock screen.
The bug is reminiscent of a similar bug found by the same developer earlier this year, which requires an attacker to conduct a carefully performed time-based attack.
Apple did not respond to a request for comment.