CWmike writes: Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani, best known for uncovering an Apple Safari vulnerability in 2008 that could be exploited with 'carpet bomb,' demonstrated Monday how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites," said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' said Dhanjani.