Veritasium Stole $10,000 From MKBHD's Locked iPhone. Apple and Visa Knew About the Bug for 5 Years.

Veritasium and MKBHD demonstrated a man-in-the-middle NFC attack that drained $10,000 from a locked iPhone with no passcode, no Face ID, and no notification. The exploit targets Apple Pay's Express Transit mode with Visa cards specifically. Researchers disclosed it to Apple and Visa in 2021. Five years later, it still works. Both companies say it's the other's problem.