I've read lots of articles about hacking the iPhone lately. They're mostly focused on exploring the hardware, circumventing the intended activation process, or putting new software on the device. That's nice, and I like to see a technological marvel smashed open with a hammer just as much as the next geek, but I'm more interested in how the iPhone changes the balance of power when it comes to security.

Small items first: There are a few minor application issues that make a phisher's job easier. For instance, the email client does not display the URL you're going to visit when you click on a link, so a phisher can send out spam that says Click here to go to PayPal and point the link to http://paypal.fakesite.ro, and there's no way to know what's going to happen until you click. Once you do click, the browser displays only the first 20 or so characters of the URL, so its easy to hide a big gnarly cross-site scripting attack without arousing any suspicion. Alternatively, the phishing site can use JavaScript to scroll the URL bar out of site. (See Joe Hewitt's writeup.) I expect issues like these will be addressed soon enough, just as they've been with all of the major desktop mail clients and Web browsers.

Much more interesting is the way the iPhone connects the Web browser and the phone. As the author of a Web site, you can embed a telephone number in a web page like this:

<a id="phone_home" href="tel:1-900-867-5309">call me!</a>


You can also write JavaScript that causes the iPhone to initiate the dialing process:

<script>

window.document.url = "tel:1-900-867-5309"

</script>

When that code runs, the user will be prompted "1-900-867-5309 (call) (cancel)". If the user accepts, the phone dials. Now you can turn phishing into money faster than ever before because the payload is the product: victims dial a 900 number, and the money starts rolling in. By the way, setting up a 900 number is easy.

Alternatively, use a cross-site scripting vulnerability to have a banking Web site initiate a call to a fake technical support number. What's the first thing the fake support rep asks for? Your account information of course! After all, you called them, so they need to "confirm your identity". Once again, an old scam gets new legs with a little help from the latest technology, and once again the ante on cross-site scripting goes up.