I just saw a post about some of the browser capabilities of the new iPhone, and there was one feature that caught my eye:

- new telephone links allows you to integrate phone calls directly from your webpage. remember this is only on safari.

The first thing I thought of was, “Wow, I hope that you can’t somehow execute those links automatically via JavaScript…”. Can you imagine if you browse to a page and your iPhone automatically dials the number of an attacker and listens in on a conversation you might be having? Combine an XSS vulnerability on a high-profile website and a couple of high-profile CEO’s that we know have an iPhone and you could get some pretty interesting dirt!

That would be kind of bad…

Update: Hehe, see.