How I sold an old Mac and unknowingly had access to its location for over 3 years

By: Brenden Mulligan
So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn’t realize it was that particular Mac. I just happened to notice there was a computer I didn’t recognize in Find My iPhone called “Michael’s iMac”.

I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house.

I vaguely remembered selling an iMac on Craigslist 3 years ago, and figured that was this one. Then I realized that meant for over 3 years, I had access to this person’s exact location. That’s insane to me.
How the hell did that happen?

Before selling, I erased the computer and re-installed a fresh OS X
I did a hard erase of the computer and reinstalled OS X factory fresh. The mistake I made was that before erasing the computer, I didn’t sign out of iCloud / Find My Mac. I figured erasing the computer would do that. It didn’t.

I sold the computer and the user didn’t log into iCloud
For whatever reason, this person didn’t need to sign into iCloud. So this meant that Apple still associated the computer hardware with my iCloud account. The computer wasn’t logged into my iCloud account, but was still associated with my account, so I still could track the computer’s location in real time.

For me (the seller), this isn’t much of a security risk
The buyer won’t see or have access to any private iCloud data; the hardware is just associated with it. But the seller can’t disassociate it without the buyer’s help (and I didn’t have any way to contact them), so it’s a pain.
No, logging all devices out of iCloud doesn’t work. And no, this has nothing to do with if the computer is in your Support Profile.
The only options I had were Play Sound, Lock, and Erase.

For the buyer, there are massive privacy concerns.
The biggest privacy issue is for the buyer. If they don’t turn on Find My Mac with their own iCloud account, they leave a lot of power in the previous owner’s hands.

The previous owner can track the buyer’s location.
At any time in the past 3 years I could have tracked this computer’s exact location. Not a huge deal with an iMac, but if this was a laptop, I’d basically know where this person was at all times. Terrifying.

The previous owner can erase everything remotely.
With two clicks, at any point, I could shut down this user’s computer and completely wipe it clean. They couldn’t stop it and would have no control. They’d lose everything.

The previous owner can lock the buyer out.
This is what I ended up doing. It was the only way I could get in touch with the owner. So I remotely locked the computer and in the lock message, put my phone number.

The new owner texted and we got it resolved. As mentioned, it wasn’t that they were still logged into my iCloud account, it was that they never signed into their own iCloud account.

Resolving it showed one last nugget of privacy ugh.
When Michael finally logged into his own iCloud account and turned on Find My Mac, the computer was nice enough to tell him my full name.

Not a huge deal, but for people who want to remain anonymous when selling a computer, this sucks.

Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent OS X update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you.