A recently discovered lockscreen glitch may force Apple to push out a firmware upgrade ahead of the arrival of iOS 4.2 next month. [UPDATE: Apparently not, an Apple spokeswoman told Wired.com that “We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November.”] The bug - which allows anyone to do things like make calls, send SMS messages and access the photo library on a locked phone - appears to affect phones running 4.0.1 and 4.1, jailbroken and non-jailbroken.
This appears to be a nuisance issue only; your friend can use it to annoy you, and if your phone is stolen you have bigger problems than people making calls to your contacts. The way it works is completely straightforward: you press "Emergency Call" from the lockscreen and then enter a nonsense sequence of digits/symbols like ###. Once the phone starts dialing, you immediately press the lock button and you're dropped into the Phone app, with access to call history and contacts. Additionally, if you go to an entry in your address book choose to share a contact via MMS, by tapping the camera icon you can go into the photo library.
The flaw recalls a similar bug back in iPhone OS 2.0.2 which allowed you to jump from the Emergency Call screen directly to the Favorites screen of the Phone app by double-tapping the Home button. Email addresses in Favorite contacts then gave access to the Mail app, exposing all your messages.
As usual, the only way around this built-in security hole is to jailbreak your phone. My Typophone 4 lockscreen doesn't have an Emergency Call button, nor do other lockscreen replacements like Android Lock.