Security research specialist Nitesh Dhanjani has demonstrated how mobile Safari's ability to hide a web page's URL can be used to trick users. Specifically, his proof-of-concept site shows a "fake" URL filed once the real one has been hidden, preventing users from realizing that they're not looking at the site they intended to see.
Dhanjani goes on to note that in situations where a URL filed should be visible, a hacker could simply present the fake one, tricking most users. He offers more detail on his blog and says that he's been in communication with Apple about the issue. You can check out a brief video of how the trick works after the break.