The vulnerability lies within the iPhone's ability to automatically dial numbers listed on web pages via the Safari browser.
SPI Labs lead researcher Billy Hoffman warned in a company blog that malicious code could be disguised as phone links and used to run up service charges or render the iPhone useless.
Other possible implications of the vulnerability include cross-site scripting attacks, tracking a user's phone activity or causing a denial-of-service attack.
Hoffman said that the issue has been reported to Apple, and advised users to avoid following phone links in Safari until the company can issue a fix.
Other experts downplayed the risk, however. Paul Moriarty, director of internet content security at Trend Micro, told vnunet.com that similar avenues for attack have been found in other smartphones, and there is normally little danger to users.
"If you want to get a headline, maybe, but you are not going to make a whole lot of money," he said.
Moriarty explained that duping users into dialling premium numbers is not a solid business plan, given the policies of many service providers.
"If I call AT &T and dispute [the charges] the chances are they are going to erase it and hit the other company back for the money," he said.
"It strikes me as a much less convenient way to make money if I already have the skills to go out and conquer PCs."
Moriarty pointed out that there are only a million or so iPhones out there to exploit, but hundreds of millions of poorly maintained PCs with unpatched vulnerabilities ripe for attack.
Apple, Samsung, Google and others rush to go ever-higher upmarket is putting off potential customers
Laser tech can charge mobile phones from across a room
AMD's Zen chip roll-out continues with the focus on high-power embedded applications
And becomes the team's executive chairman to boot