Here's a tip; if you tap on a link in an e-mail and hold for a second or two, the URL pops up for your delighted perusal.

I fail to see how a link to a malicious website sent in a mail would be specific to any particular mail client or device?

If a Nigerian scammer sends you mail and asks you to tell them your bank details, how can you blame any device or software if you are stupid enough to do so?

Of course a baby-with-the-bathtub solution would be to block all email that contains a URL. Is that what this "researcher" suggests the iphone is doing wrong?

Why don't browsers simply implement this simple solution:

When a block of text is marked as url : use that block of text and not an embedded link. Then there is no more hide and seek .... At least give browsers an option flag to use either the embedded link or the text of the link itself. and an option to display either the original text or directly the attached link when rendering the page.

Yeah, but *if* the vulnerability means that the bad guys can fake the URL that pops up then your tap & hold proceedure is rendered useless.

Of course that's a big if - I've no idea what the specifics of this vulnerability are.

Where a domain name in a non-latin character set looks like a different one in English (aka homograph spoofing attack).

There are various fixes for this in most current desktop browsers.

Try http://www.shmoo.com/idn/ on your iPhone and see what it does?

I'm not sure what that shmoo site is trying to tell me?

It comes up with a link saying 'IDN spoofed URL'. You click on that and it comes up with a page saying 'The fake TSG'.

I tried it on firefox and safari and they behave in exactly the same way.

As the fake and 'real' pages have different URLs this to me proves nothing... that links to different pages go to different pages? What am I missing?

You can safely ignore and delete any email that purports to come from a bank. Banks don't send email, they send old fashioned letters on old fashioned paper.