As part of the Pwn2Own 2010 hacking contest, Vincenzo Iozzo and Ralf Philipp Weinmann created an exploit which allows them to hijack fully-patched iPhones' SMS databases—right down to deleted messages—simply by luring users to a "rigged" website.
Aside from hijacking entire SMS databases in about 20 seconds, the exploit could potentially also be used to "exfiltrated the phone contact list, photographs and iTunes music files." All that by simply having a user visit a specific website and without ever needing to leave the iPhone sandbox.
Iozzo and Weinmann received $15,000 for writing this contest-winning exploit, but no details of the hack will be released until Apple has been notified and is able to patch the vulnerability. [ZDNET]