The vulnerability, which only affects the iPhone 4, involves the Voice Dial command, as demonstrated in the video below from YouTube user videosdebarraquito.
iPhoneinCanada tested the method in the video using an iPhone 4 running iOS 6.1.3 and found that the security flaw does indeed exist, giving a potential intruder access to both contacts and photos.
Like the previous passcode vulnerability, the current hack involves a complicated set of steps that includes initiating Voice Dial command and quickly ejecting the phone's SIM card.
When the SIM card is removed, the phone opens the recent call log, which gives access to the contact list. In the contact list, adding a photo also gives access to all of the pictures on the device.
The previous passcode vulnerability was discovered in mid-February, and it took Apple more than a month to push a fix. An update for the current bypass could follow a similar timeline, but the vulnerability can be fixed by disabling Voice Dial from the Passcode Lock menu.
At this time, the vulnerability has only been shown to work with the iPhone 4. We were unable to reproduce the results with an iPhone 5 with Siri disabled, though the bug may potentially affect the pre-Siri iPhone 3GS as well.
Update 1:07 PM: iPhoneBlog.de reports that it has reproduced the issue on an iPhone 5 with Siri disabled, although we have still been unable to do so.