A basic design flaw in the Apple iPhone makes it susceptible to a URL spoofing vulnerability, according to a security researcher who discovered the flaw.
Israeli vulnerability researcher Aviv Raff, is warning that the iPhone's mail and Safari browser applications could be exploited by an attacker using a common phishing method. The flaw was found in versions 1.1.4 and 2.0 of the iPhone firmware.
An attacker can pass a spoofed URL in a spam message, making it appear as though it came from a trusted source, such as a bank or popular social network. If the victim clicks on the link, Safari will open and display the URL as if it was from the trusted site, Raff said.
Technical details are being withheld until Apple releases a patch. Raff said Apple is aware of the problem and is working on a fix. Users should avoid clicking on links in email messages from the mail application, even if they appear to come from a trusted website, Raff said.
"Instead, a user should enter the URL of the website manually in the Safari application," he said.