Large unauthorised contactless payments can be made on locked iPhones by exploiting how an Apple Pay feature designed to help commuters pay quickly at ticket barriers works with Visa.
In a video, researchers demonstrated making a contactless Visa payment of £1,000 from a locked iPhone.
Apple said the matter was "a concern with a Visa system".
Visa said payments were secure and attacks of this type were impractical outside of a lab.
The problem, researchers say, applies to Visa cards set up in 'Express Transit, external' mode in an iPhone's wallet.
"Express Transit" is an Apple Pay feature which enables commuters to make quick contactless payments without unlocking their phone, for example touching-in and touching-out at a London Underground ticket barrier.
It is a weakness in how Visa systems work with this feature, that researchers from the Computer Science departments of Birmingham and Surrey Universities, discovered how to attack.
The researchers say they first approached Apple and Visa with their concerns almost a year ago - there have been "useful" conversations, but the problem has not been fixed.
Visa's view was that this type of attack was "impractical".
It told the BBC that it took all security threats seriously, but "Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence.
"Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".
It is possible, for example, that Visa's fraud detection systems would spot and block unusual patterns of spending, although the researchers did not encounter this problem in their lab tests.
There's also the practical problem of getting close to a victim's phone.
Anyone who thinks they have lost their phone can use Apple's iCloud, external to block Apple Pay or wipe the phone, and they can also alert Visa and block payments.
Apple told the BBC: "We take any threat to users' security very seriously. This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place".
"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy".
But Dr Andreea Radu, of the University of Birmingham who led the research, told the BBC complex attacks that work in the lab can end up being used by criminals.
"It has some technical complexity - but I feel the rewards from doing the attack are quite high", she said, adding that if unaddressed "in a few years these might be become a real issue".
Dr Tom Chothia also at the University of Birmingham, said iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it.
"There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are", he said.