Fortify's chief scientist Brian Chess points out that the iPhone's email client does not display the URL when a link is selected, and that only the first 20 characters of URL are displayed in the iPhone's Safari web browser.

"It's easy to hide a big gnarly cross-site scripting attack without arousing any suspicion," he says.  "Alternatively, the phishing site can use JavaScript to scroll the URL bar out of site.

Chess is sure that these vulnerabilities will be corrected, "just as they've been with all of the major desktop mail clients and Web browsers".

However, Chess is more concerned about another vulnerability he's identified. Because the iPhone can dial phone numbers from scripts embedded in web pages, it can, for example, be made to call up expensive "pay per phone call" 900 services. Chess explains how it's done:

As the author of a Web site, you can embed a telephone number in a web page like this:

<a id="phone_home" href="tel:1-900-867-5309″>call me!</a>

You can also write JavaScript that causes the iPhone to initiate the dialing process:

<script>
window.document.url = "tel:1-900-867-5309″
</script>

When that code runs, the user will be prompted "1-900-867-5309 (call) (cancel)". If the user accepts, the phone dials.

According to Chess it's relative simply to set up a 900 number, which would make it easy for scammers to make money using this technique.

Chess also came up with another scenario where iPhone users might be at risk. He postulates that a fake banking web site could initiate a call to a fake technical support number, which would be answered by a fake support representative who would then ask for an account number and confirmation of identity information.

In coming months Chess expects that scammers will lean how to make web applications look like iPhone applications, possibly allowing access to contacts, photos, and perhaps even the location of the handset (scary). He also expects that as other mobile phone manufacturers launch their own iPhone killers more opportunities will arise for scammers to take advantage of vulnerabilities.

"The devices will contain a treasure trove of security vulnerabilities that make the iPhone look like Fort Knox," predicts Chess. "After all, Apple got plenty of things right: at least you have to confirm before the phone dials."