The recently released iOS 9.3.1 fix for the link-crashing glitch plaguing iPhones and iPads has a bug that allows anyone to access photos and contacts on a locked device.
A YouTube video (below) shows the vulnerability in action and reveals that all a hacker needs to pilfer contacts from a passcode-locked iPhone 6S or 6S Plus is access to Siri and 3D Touch.
The hack is worryingly easy to execute. You simply fire up Siri by pressing the home button or the 'Hey Siri' command, and ask Apple's mouthy digital assistant to initiate a Twitter search.
If the results include contact details such as an email address, using 3D Touch on the contact information will bring up the Quick Actions Menu and allow you to add it to an existing contact - in turn offering access to the iPhone's entire contacts list.
What's more, by selecting a contact and choosing to add an image, the iPhone's entire photo library can be accessed.
Apple has yet to respond to the flaw but is likely to be beavering away on yet another update to iOS 9.3.
Until then, there is a way to keep your iPhone's information safe should it fall into the hands of a hacker.
Siri can carry out the command in question only if given permission to access Twitter account information, as well as contacts and photos. To revoke these permissions, head to Settings > Privacy and switch off Siri's access to Twitter and Photos. To stop it accessing your contacts, you'll need to disable Siri's lock screen activation by heading to Settings > Touch ID & Passcode.
The link-crashing glitch and new Siri and Touch ID flaw aren't the only problems that have bothered early iOS 9.3 adopters.
The firm was forced to release yet another update to fix a bug plaguing users of older Apple devices who reported that the update turned their iPhone and iPad into an expensive lump of metal and glass.
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference taking place on 24 November.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers