The bypass only works on the iPhone 6s and iPhone 6s Plus, because those devices feature 3D Touch, which is used for this particular variant of The
passcode bypass trick. The flaw is present in the latest iOS 9.3.1 update.
How to test the passcode bypass:-
Step 1: Lock your device.
Step 2: Invoke Siri and say “Search Twitter”.
Step 3: Once Siri asks what to search for, say: “at-sign yahoo.com” or any other popular email domain.
Step 4: Once the search results are returned, tap on a tweet with a valid email address.
Step 5: 3D Touch the email address to bring up the contextual menu.
Step 6: Tap Create New Contact → add photo in order to view the photos on device. You may be asked to give Siri access to the Photo Library.
HOW TO PROTECT YOURSELF
You can disable Siri access to photos, which will prevent people from using the Create New Contact → add photo option mentioned above in step 6. This setting may only appear if you’ve already given Siri access to your photos as outlined in step 6 above. Unfortunately, this won’t prevent people from seeing your contacts, so if this is a concern, see the alternative security method below.
Disable Siri on the Lock screen
You can outright disable access to Siri from the Lock screen, stopping this pass code bypass method before it even begins. To do so, go to Settings → Touch ID & Pass code and disable the Siri switch under the allow access when
locked heading. This is the more drastic step that eliminates the ability to use Siri altogether while at the Lock screen, so understand the consequences that this could have on your workflow.
You can also rest easy knowing that if your iPhone reboots or encounters a Touch ID grace period time out, you’ll need to verify your pass code before using Siri. Chances are, you’ll never have to worry about your privacy being breached by means of this bypass.