The staff of Fraunhofer Institute for Secure Information Technology (SIT) has discovered a vulnerability which can take control of your iPhone and make a (potentially expensive) phone call when you visit a malicious website on your iPhone’s Safari browser.

Apple had fixed a similar Safari security flaw last year, but it looks like the exploit was not completely fixed.

In the press release, SIT reveals (translated from German to English):

“With a simple trick the attacker can take control over iPhone’s Safari browser and automatically dial a call such as an expensive 0900-number.” The call cannot be canceled once initiated.

SIT believes that for the attack to work, the attackers would have to trick iPhone users into visiting a malicious website which could be done by sending an email with the URL of the malicious website.

SIT claims that they had notified Apple of the vulnerability about a month ago and report that a fix for it will be released on Nov 21st, 2008.

Interestingly, it coincides with the release date of iPhone firmware 2.2 which we had reported earlier. iPhone firmware 2.2 is also expected to include a number of small new features.

The vulnerability was to be announced in ComputerBild on Monday but I am guessing SIT released the details today as their discovery would not get as much attention if the vulnerability was fixed by the firmware update prior to their announcement. The video of the exploit is available here.

It is reassuring to know that Apple will be fixing it the next firmware update (which could be as early as tomorrow).

As a precautionary measure its advisable that iPhone users open URLs of only trusted websites from their iPhone until we hear from Apple on this vulnerability  or they provide a fix.

Whats your take on the vulnerability?