There’s a lot to love in Apple’s newly released iOS 9 software. We told you about all of iOS 9’s best new features in an earlier article, and we also showed you 25 great hidden iOS 9 features that you really need to know about.

Now, it’s time to discuss iOS 9’s worst new feature: A major security flaw.

DON’T MISS: iPhone 6s: The 10 most important new features

According to Apple, more than 50% of iPhone and iPad users have already upgraded to iOS 9, which was released to the public just last week. This coming weekend, millions more will take delivery of their new iPhone 6 and iPhone 6s handsets, which will also be running Apple’s latest software.

Unfortunately, all of these users are vulnerable to a simple hack made possible by a serious security flaw in iOS 9.

YouTube user “videosdebarraquito” contacted BGR via email to draw our attention to a major flaw in Apple’s new mobile software. BGR has since been able to reproduce the resulting hack ourselves on multiple iPhone 6 handsets. The security hole allows people to use Siri to access an iPhone owner’s private data, and it is painfully easy to exploit.

Here’s how it works:

On any PIN-protected device running iOS 9, enter an incorrect PIN four times. On the fifth attempt, enter just three numbers (iOS locks for 1 minute after five incorrect PIN attempts) and then hold down the home button to bring up Siri as you enter the fourth.

We’ll let the video take things from there:

As you can see, this security hole allows anyone to access all of the private photos on a device, as well as all of the contacts. Bear in mind that throughout all of this, the phone is still locked.

Scary though this flaw may be, preventing it is quite simple. All you have to do is disable access to Siri while the phone is locked by opening the Settings app and tapping “Touch ID & Passcode.” Then scroll to the “Allow access when locked” section and slide the toggle next to Siri to off. Siri is enabled by default on the lock screen though, so most users running iOS 9 are currently exposed.

An Apple spokesperson did not immediately respond to a request for comment.