New ask Hacker News story: Tell HN: iCloud Login Bug

Tell HN: iCloud Login Bug
3 by unknownoperator | 0 comments on Hacker News.
Steps to reproduce: purchase a new iPhone from a prepaid MVNO. In the setup screen I decided to create myself a fresh @icloud.com account, skipping setting up a lockscreen PIN(relevant later). Here’s where things get fucked. 24h later, getting pop ups telling me to sign into iCloud again. I’m still logged In on the phone in Settings but nothing works. It’s telling me my email or password is wrong?!? The same password I always use for my important account and know by heart. I frantically attempted every varient Id ever use. Of course I’m scared and looking for options. Miraculously , without knowing password I was still able to change my name from “Anonymous Operetive” to my government name and call Apple… and I was able to add a secondary @gmail in “Reachable at”, supposedly for recovery. I immediately fill out a the standard iforgot.apple.com recovery flow. thankfully they have my phone number verified but and no other contact method beside the gmail. The page says basically it’s been accepted but I should wait 12 days before they’ll be sending telling me instructions for resetting the password by text, in 12 days as a security measure. After 13-14 days there was still no text from Apple with a password reset link. But something did changed, the iCloud login prompt was now asking me my password for my @gmail account. Somehow it became the primary address and miraculously my normal password finally worked! Now there’s more weirdness, in Settings it won’t allow me to remove this gmail from “Reachable at” in my Settings screen and use my initially setup @icloud.com address. The email app finally logged in and could receive mail. Now I can’t ducking remove the @gmail.com from my account and use the @icloud as the primarily and there’s a highly confusing UX glitch that occurs; when selecting the old gmail, clicking the red dot, a screen appears saying you have to choose a new Apple ID email. So, I enter my @icloud.com and submit. I get a popup “Your Apple ID has been updated. - Use xxxxxxx@gmail.com to sign into your account. WTf? How has it been “updated” to the email I explicitly just clicked to delete. I try on iCloud.com in the browser to change my damn email and get the error: “This email cannot be used as an Apple ID at this time.” With no further explanation. Not only is this an obvious, reproducible, scary, confusing bug, but it gets worse from here and there’s major security implications. I called Apple again and explained this issue and offered to share my screen via remote assist. The agent did some research, and then said I have to wait 30 days to remove it. Nowhere in the UX does it say this, and why the fuck? How is removing an secondary, 3rd party email from my iCloud account take 30 days? What if it were compromised. This bug is bad. There’s a somewhat connected iCloud sign in bug that’s even worse and I’ll be blowing the whistle in a second submission about that.