The vulnerability, which was disclosed Friday by researchers at application security vendor Cenzic, enables an attacker or prankster to use the SIRI personal voice assistant to crack a locked iPhone and execute tasks that would normally require user permission, such as sending email or posting to Facebook.
In a blog describing the iPhone flaw, the Cenzic researchers said they were able to use a locked iPhone belonging to a third party to send email and texts, make calls, access contact information, and make updates to Facebook and Twitter, all with the user's accounts and without the user's knowledge.
"Imagine someone stealing your iPhone and -- without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you," the blog says.
The researchers posted a YouTube video demonstrating the ability to use SIRI on a third party's locked iPhone to make an update on the third party's Facebook page. They also reported the ability to collect and steal the personal information of contacts stored in the iPhone.
The flaw also works on some tasks under iOS 6, the researchers say. End users should take care not to let others use their iPhones, and may want to consider disabling SIRI until Apple fixes the problem, the blog states.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.