The iPhone's Mail and Safari browser applications are prone to a URL spoofing vulnerability, that might allow phishing attacks.

Creating a crafted URL, and sending it via an e-mail, an attacker can convince the user that the spoofed URL so it looks like it is from a trusted domain like PayPal or any other sites.

When the URL is clicked, the Safari browser is opened. The spoofed URL, shown in the address bar of the Safari browser, will still be viewed by the victim as if it is from a trusted domain.

iPhone Mail and Safari on firmware 1.1.4 and 2.0 are affected by this vulnerability. Earlier versions may also be affected, said Raff. (http://aviv.raffon.net/)