MKBHD demo shows $10,000 Apple Pay bypass

Marques Brownlee did not publish a new security disclosure himself. The clip circulating on X comes from a Veritasium YouTube video in which Brownlee lets researchers demonstrate a known Apple Pay and Visa contactless flaw on his locked iPhone. In the video, a $5 payment goes through first, followed by a $10,000 transaction, without a Face ID prompt or passcode entry, according to Veritasium and multiple reports describing the footage. The setup was presented as a controlled demonstration, not a theft in the wild. Apple and Visa have previously said the scenario is unlikely in real-world use. ### Did Brownlee actually find a new iPhone hack? Veritasium, not MKBHD, published the demonstration video in April 2026 under the title “We stole $10,000 from MKBHD’s locked iphone.” Reports on April 15 and May 4 said the video showed Brownlee’s phone being used in a lab-style setup with researchers and custom NFC equipment. The University of Birmingham and the University of Surrey said on September 30, 2021 that they had already disclosed a vulnerability affecting Apple Pay with Visa cards in Express Transit mode. (forbes.com) Their statement said the flaw could bypass the iPhone’s Apple Pay lock screen and the usual contactless limit, allowing transactions “of any amount” in their tests. (youtube.com) ### How could a locked iPhone approve payment without Face ID? Apple’s Express Transit feature is designed to let riders pay at transit gates without unlocking the phone. The Birmingham and Surrey researchers said they identified a code broadcast by transit gates — which they called “magic bytes” — that could wake Apple Pay into transit-payment mode. (birmingham.ac.uk) The attack then relays and alters NFC communications so the iPhone believes it is talking to a transit terminal while the merchant reader believes user authorization has already happened, the universities said. MacRumors, citing the video and researchers, said the rig used an NFC reader, a laptop and a second phone to pass payment data to a legitimate terminal. (birmingham.ac.uk) ### Which cards and phones were affected in the researchers’ tests? Visa cards set as the Express Transit card on an iPhone were the key condition in the 2021 disclosure. The universities said the weakness was in how Apple Pay and Visa worked together, and did not affect Mastercard on iPhones or Visa on Samsung Pay. (birmingham.ac.uk) MacRumors and 9to5Mac reported the same limits in their April 2026 write-ups of the Veritasium video. Both said the exploit required physical proximity and specialized hardware, and both said it depended on the specific Visa-plus-iPhone Express Transit combination. ### Did Apple or Visa say the problem was fixed? Apple told Veritasium, according to MacRumors and 9to5Mac, that the issue was tied to Visa’s system rather than the iPhone alone. (birmingham.ac.uk) Visa said the scenario was “very unlikely” in real-world settings and said cardholders were covered by its zero-liability policy for unauthorized transactions, those reports said. (macrumors.com) The researchers said in 2021 that discussions with Apple and Visa had not produced a fix. A later University of Surrey release on October 28, 2025 said broader EMV contactless research had led to some industry fixes in other areas, but it did not say the Apple Pay-Visa Express Transit issue shown with Brownlee had been fully closed. That makes any claim that the viral clip revealed a newly patched or newly discovered flaw unsupported by the available source material. (macrumors.com) ### What should readers take from the viral posts? The $10,000 figure in the clip is real within the demonstration shown by Veritasium, but the posts circulating around it can blur three separate facts: Brownlee was the on-camera subject, the underlying issue dates to 2021, and the attack required a specific setup rather than a casual tap from any passerby. Those limits are described in the university disclosures and in reports summarizing the video. (surrey.ac.uk) Tom Chothia of the University of Birmingham said in the 2021 disclosure that iPhone owners should check whether a Visa card is set for transit payments and disable it if so. The Veritasium video and the university statements remain the clearest public sources for the mechanics of the demonstration and the affected card-and-device combination. (surrey.ac.uk) (birmingham.ac.uk)