How I sold an old Mac and unknowingly had access to its location for over 3 years

So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn’t realize it was that particular Mac. I just happened to notice there was a computer I didn’t recognize in Find My iPhone called “Michael’s iMac”.

Image for post
Image for post

I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house.

Image for post
Image for post
blurred for privacy

I vaguely remembered selling an iMac on Craigslist 3 years ago, and figured that was this one. Then I realized that meant for over 3 years, I had access to this person’s exact location. That’s insane to me.

How the hell did that happen?

Before selling, I erased the computer and re-installed a fresh MacOS

I did a hard erase of the computer and reinstalled MacOS factory fresh. The mistake I made was that before erasing the computer, I didn’t sign out of iCloud / Find My Mac. I figured erasing the computer would do that. It didn’t.

I sold the computer and the user didn’t log into iCloud

For whatever reason, this person didn’t need to sign into iCloud. So this meant that Apple still associated the computer hardware with my iCloud account. The computer wasn’t logged into my iCloud account, but was still associated with my account, so I still could track the computer’s location in real time.

For me (the seller), this isn’t much of a security risk

The buyer won’t see or have access to any private iCloud data; the hardware is just associated with it. But the seller can’t disassociate it without the buyer’s help (and I didn’t have any way to contact them), so it’s a pain.

No, logging all devices out of iCloud doesn’t work. And no, this has nothing to do with if the computer is in your Support Profile.

The only options I had were Play Sound, Lock, and Erase.

Image for post
Image for post

For the buyer, there are massive privacy concerns

The biggest privacy issue is for the buyer. If they don’t turn on Find My Mac with their own iCloud account, they leave a lot of power in the previous owner’s hands.

At any time in the past 3 years I could have tracked this computer’s exact location. Not a huge deal with an iMac, but if this was a laptop, I’d basically know where this person was at all times. Terrifying.

With two clicks, at any point, I could shut down this user’s computer and completely wipe it clean. They couldn’t stop it and would have no control. They’d lose everything.

Image for post
Image for post

This is what I ended up doing. It was the only way I could get in touch with the owner. So I remotely locked the computer and in the lock message, put my phone number.

Image for post
Image for post

The new owner texted and we got it resolved. As mentioned, it wasn’t that they were still logged into my iCloud account, it was that they never signed into their own iCloud account.

Resolving it showed one last nugget of privacy ugh

When Michael finally logged into his own iCloud account and turned on Find My Mac, the computer was nice enough to tell him my full name.

Image for post
Image for post

Not a huge deal, but for people who want to remain anonymous when selling a computer, this sucks.

Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent MacOS update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you.

No, removing it from iCloud Settings doesn’t help

[ADDED 2/27/18]: A few people have commented that I should have just removed it from my iCloud account. In a PCMag article, it said

As Apple notes, you can also remove devices from your iCloud account that you no longer have access to by hitting up Settings on, clicking on a device you want to disassociate, and clicking the big “x” delete button next to any devices you no longer have access to. It’s unclear if Mulligan attempted that approach, but his advice still stands for buyers, at least — sign into iCloud yourself to confirm that your seller isn’t keeping tabs on where you are.

I tried this, both from the iOS app, the Find My iPhone web app, and the iCloud settings. Although it seems like you can remove the app, all it does is remove it from the account until the person logs in again: “This device will reappear if it connects to the Internet.” See below.

Image for post
Image for post

You might get excited to see a link to “Lost, sold, or gave away this device?”. One would think that would have the answer. But alas, it does not. It tells you to do the above, and caveats:

If you remove a device from iCloud, and the device reconnects to the Internet, it reappears in the My Devices section of Settings.

So, none of this helps. You can’t remove it for good.

[ADDED 2/26/18]: I’ve gotten feedback that this is a feature not a bug, and that this allows an owner to track their computer if a theft occurs. I supposed that’s true, but the only thing a thief has to do to override this feature would be to sign into any iCloud account. Then the tracking would stop. So my opinion is that the benefit of that “feature” is outweighed by the privacy issues it causes.

Written by

Entrepreneur & Designer. Currently helping with product @Google via @LaunchKit acquisition. Co-founder of @Cluster. Tweets at @mulligan, views are my own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store