A security researcher named Jose Rodriguez demonstrated how to exploit the vulnerabilities of VoiceOver and Siri in a YouTube video. You can even access unrestricted access to the list of contacts stored on your device without unlocking your iPhone.
Rodriguez shows how exploits work, including calling the target iPhone or FaceTime. After making a call, the recipient must choose to use a custom message instead, instead of accepting the call. On the message screen, the user must open VoiceOver with Siri and then close it. But after switching VoiceOver, the user can jump to the Add Contact field so that all the contact information in the phone can be viewed.
Previously, Rodriguez had discovered another complex exploit in iOS 12. It allows users to view photos and contacts stored on the target iPhone with VoiceOver, much like the one on iOS 13. However, due to the complexity of the attack, the impact of the vulnerability should not be too large. Even if it succeeds, the attacker can only view the contacts in the target iPhone.
Rodriguez disclosed the vulnerability to Apple as early as iOS 13 beta.