Humbug Is The Critical iPhone Vulnerability That Apple Don’t Want You To Know About.

A new critical Apple vulnerability has been discovered, one that strikes at the very heart of their walled garden: the iOS / MacOS / iPadOS activation backend. This isn’t just another bug; this is a gaping, unauthenticated wound that has been open and bleeding silently for who knows how long. Security Researcher @stormmedia calls this one “Operation Humbug.”

​The Flaw

​The Humbug vulnerability lives on a specific Apple internal endpoint, https://humb.apple.com/humbug/baa. This server’s job is to handle provisioning and configuration during the initial device setup. The mind-boggling, straight-up shitty behaviour here is that this endpoint accepts unsigned XML payloads. No authentication. No signature verification. Nothing. Manipulate the input as you wish & receive the manipulated response you require.

​That’s right. During the most critical phase of your device’s life—the moment it first phones home to Apple—any scumbag on a captive network, a rogue Wi-Fi access point, or even a malicious actor inside the supply chain can inject their own code. The server processes it without a peep, returning a clean HTTP 200 OK, as if everything is fine and dandy. No shit.

​What This Means For You

​This is a pre-activation attack. It requires no jailbreak, no physical access after the initial setup, and no user interaction. An attacker could:

• ​Inject persistent profiles: They can drop malicious configuration files that will stay on your device forever, bypassing standard MDM controls.
• ​Modify network settings: Think of it like a backdoor into your phone’s modem, allowing them to change things like AllowedProtocolMask to force traffic through their own servers.
• ​Install silent tasks: The attacker can plant hidden instructions to be executed at a later time—a classic “sleepy spyware” tactic.
• Do Anything They Want: And you’d never know.

​In essence, your brand new, factory-sealed iPhone could have a permanent, undetectable infection before you ever get to enter your passcode. It’s a fundamental breakdown of trust, proving once again that corporate statements about security are just that: statements.

This is a dream for international spy agencies & an absolute nightmare for Apple. It’s also the dead-end for iCloud locks preventing activation on wiped iPhones / iPads / MacBooks.

Apple were informed of this flaw in May 2025. It’s now September. “September my cousin tried reefer for the very first time, now he’s doing horse. It’s June” – Prince Rogers Nelson, Sign O The Times – voted Song Of The Century, 1900 – 2000.

​How To Fight Back

​Apple’s response has been, predictably but also inexplicably, silence. There’s no public CVE, no official acknowledgement, and no patch yet. Why would th world’s second most valuable company ignore this discovery? Either of 2 reasons – Humbug is a fake (it’s not, see the Proof Of Concept) or this is a shattering discovery to which they have absolutely no possible response.

So, what can you do? Relax & hope nothing happens to you? You won’t know about it until too late anyway. Buy a Google Pixel, run that on GrapheneOS. If you choose to stay with Apple, you now do it with considerable, unquantified risk. iDevices cannot be trusted from before you control them.

​Until Apple gets their act together and closes this massive hole, there’s no easy fix once a device is compromised. However, you can significantly reduce your risk by taking these precautions with new devices:

1. ​Avoid Public Networks during Setup: When you first activate a new iPhone, do it on a trusted network you control.
2. ​Use a VPN: If you absolutely must set up a new device on a public network, use a VPN on a computer to share a secure connection with your phone. It’s an extra step, but a necessary one.
3. ​Monitor for Suspicious Behavior: Check your device’s profiles (Settings > General > VPN & Device Management) after setup. If you see anything you didn’t put there, wipe the device and start over on a secure network.

​The above tips are not foolproof solutions, they’re basic mitigations. This flaw exists from the moment that your iDevice hits the internet for activation. There’s literally nothing you can do with an iPhone prior to activation – yet Humbug shows us how to manipulate the entire device before the user can do anything.

This vulnerability shatters Apple’s “it just works” security narrative. It’s a reminder that we can’t just trust the big players. We must be vigilant and proactive in protecting our own digital lives. I can’t believe that Apple made this design error, I’m also stunned that it wasn’t discovered earlier – but here we are. It was entirely acceptable for the phone-buying public to assume that Apple had a secure chain of communication from the get-go. They did not.

​We’ll continue to track this story as it develops. For now, be careful out there. The bad guys aren’t just hacking phones; they’re getting them straight from the factory.