14 DAY TRIAL // The iPhone has a wide array of features, some like the multi-touch interface are very well known and constantly used, while others such as the web dial feature are more obscure. This feature allows for single click dialing of telephone numbers found in web pages. Instead of actually dialing out the number itself, you click it as if it were a link, the only issue is that there might be bugs with it.
The timesaving features could potentially be exploited in order to hide the actual number to be called and tricking users into calling other, far more expensive numbers. The most likely candidates are the "900" numbers that charge a large amount per minute and typically offer various services that can range from tech support to entertainment. Since the user is charged at the moment that the call is made, such exploits could prove to be expensive to the average user.
More complex exploitation could go as far as tracking of the calls being made as well as redirecting calls to other numbers and even calls being made without the knowledge of the user. Other denial of service attacks though the same vector could render the device unusable until it is turned off. While the easiest way of exploiting this vulnerability is through user interaction, it is apparently not required and a properly crafted malicious site could exploit the user's phone without his or her knowledge. It is unclear whether the bug is only present in Safari or whether it can also be exploited via the Google Maps application as well as Mail, but it is definitely present in Safari.
While detailed information about the exploits has not been publicized by SPI Labs, the security firm warns that users should stay well away from the telephone number links in web pages, especially those from sites without a strong reputation. SPI states that it reported the security vulnerability to Apple on July 6 and is working with the company to resolve the issue. However, to date Apple has neither acknowledged the alleged problem nor issued a public advisory.