The vulnerability lies within the iPhone's ability to automatically dial numbers listed on web pages via the Safari browser.
SPI Labs lead researcher Billy Hoffman warned in a company blog that malicious code could be disguised as phone links and used to run up service charges or render the iPhone useless.
Other possible implications of the vulnerability include cross-site scripting attacks, tracking a user's phone activity or causing a denial-of-service attack.
Hoffman said that the issue has been reported to Apple, and advised users to avoid following phone links in Safari until the company can issue a fix.
Other experts downplayed the risk, however. Paul Moriarty, director of internet content security at Trend Micro, told vnunet.com that similar avenues for attack have been found in other smartphones, and there is normally little danger to users.
"If you want to get a headline, maybe, but you are not going to make a whole lot of money," he said.
Moriarty explained that duping users into dialling premium numbers is not a solid business plan, given the policies of many service providers.
"If I call AT &T and dispute [the charges] the chances are they are going to erase it and hit the other company back for the money," he said.
"It strikes me as a much less convenient way to make money if I already have the skills to go out and conquer PCs."
Moriarty pointed out that there are only a million or so iPhones out there to exploit, but hundreds of millions of poorly maintained PCs with unpatched vulnerabilities ripe for attack.
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally