If you’re selling an iMac to a friend (or random Craigslist person), you should do yourself a favor and make sure you have fully removed the computer from your iCloud account. And if you’re the buyer in this scenario, make sure the other person has wiped the system and pulled the machine out of their iCloud accounts—or at the very least, sign into yours on your new system so you can keep them from keeping tabs on the computer’s location, among other fun tricks.
Google product manager Brenden Mulligan found this out the hard way about an old iMac computer he sold on Craigslist. As he writes in a Medium post, he still had access to the computer three years later via Apple’s Find My iPhone feature, as the person he sold the system to never actually tried to use iCloud the entire time.
“So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn’t realize it was that particular Mac. I just happened to notice there was a computer I didn’t recognize in Find My iPhone called ‘Michael’s iMac,’ he writes.
“I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house. I vaguely remembered selling an iMac on Craigslist 3 years ago, and figured that was this one. Then I realized that meant for over 3 years, I had access to this person’s exact location. That’s insane to me.”
Since the system was still registered to his iCloud account, Mulligan could also have it play a sound at any point, lock down the computer entirely, or erase its contents—all powers you probably don’t want a system’s former owner to have. That’s in addition to the aforementioned location-tracking, which is also a bit unnerving.
Though, these features can be useful under the right circumstances. In this case, Mulligan was able to get in touch with the computer’s buyer—and get the owner to activate their own iCloud account on the iMac—by locking the computer remotely and putting in his own phone number as part of the message that’s shown for anyone trying to log into the system.
“Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent OS X update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you,” Mulligan writes.
As Apple notes, you can also just remove devices from your iCloud account that you no longer have access to by hitting up Settings on icloud.com, clicking on a device you want to disassociate, and clicking the big “x” delete button next to any devices you no longer have access to. It’s unclear if Mulligan attempted that approach, but his advice still stands for buyers, at least—sign into iCloud yourself to confirm that your seller isn’t keeping tabs on where you are.