Bug in iOS 9.1 which allows any user to update status on Facebook even if their device is locked.
What is required on the device?
- Siri should be enabled
- Obviously, user should be signin into Facebook (Settings > Facebook)
How can users replicate this bug on their devices?
Start Siri and ask to update status on Facebook. Siri will ask for the message “you can ask siri to post anything“. Siri will then prompt for confirmation with a message (Post or Cancel). Tap on Post or tell Siri to Post.
Siri will update this message to the Facebook even if your device is locked.
Are all devices vulnerable?
I have informed apple security team and they are will be releasing an update soon. For now yes devices running iOS 9.0.0, 9.0.1, 9.0.2 and even latest update iOS 9.1 are vulnerable to this.
How can we protect ourselves?
We are waiting on apple to release a fix for this severe bug, as of now the only way to be secure is by turning off Siri or Logout from the Facebook application.