Address spoofing vulnerability in iOS's Safari - Update
The research demonstrated the vulnerability at majorsecurity.net/html5/ios51-demo.html – a "Demo" button opens a new page that loads in apple.com borderless iframe and also displays apple.com in the addressbar, but the page itself has originated from majorsecurity.net. Fraudsters could use the vulnerability for phishing attacks by sending users to pages which appear to be their bank and asking for account data.
The vulnerability affects WebKit 534.46 in the latest iOS version 5.1, though earlier versions of iOS may also exhibit the problem. Users of third party browsers based on WebKit on iOS could also be vulnerable to the address spoofing. Vieira-Kurz informed Apple of the problem in early March.
Update: There are apparently only a few third-party browsers, such as Dolphin HD, that are affected by the vulnerability. Other iOS browsers such as iCabMobile and Atomic Web are not.