A Google employee has taken to Medium today to describe how he sold an iMac on Craigslist, but has had access to its location for the last 3 years. In the post, Brenden Mulligan explains that he erased the computer and did a clean install of macOS before selling it, but that it has remained on his Find My iPhone account since he sold it…
Ecobee HomeKit Thermostat
It wasn’t until recently that Mulligan realized the device was still on his Find My iPhone device list. He explains that he noticed a device called “Michael’s iMac” on his account, located about 100 miles away from his home address.
So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn’t realize it was that particular Mac. I just happened to notice there was a computer I didn’t recognize in Find My iPhone called “Michael’s iMac”.
I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house.
Mulligan says that the user who bought the computer from him on Craigslist didn’t log into their own iCloud account, thus Apple still associates the hardware with his account. Even though he erased macOS before selling it, it was “still associated” with his account, allowing him to track the location “in real-time.”
For whatever reason, this person didn’t need to sign into iCloud. So this meant that Apple still associated the computer hardware with my iCloud account. The computer wasn’t logged into my iCloud account, but was still associated with my account, so I still could track the computer’s location in real-time.
He explains that this doesn’t pose much of a security risk for the seller, but it exposes the buyer’s location indefinitely. Of course, for an iMac like this instance, that’s not a huge deal as iMacs are generally stationary. Should this have been a MacBook, however, Mulligan would have been able to track the buyer for three years.
Additionally, Mulligan still has the ability to “Play Sound,” “Lock,” and “Erase Mac” via iCloud. This means he could prevent the buyer from doing anything on the iMac, three years later.
With two clicks, at any point, I could shut down this user’s computer and completely wipe it clean. They couldn’t stop it and would have no control. They’d lose everything.
Resolving this problem is relatively simple, as the buyer simply has to sign-in to their own iCloud account:
When Michael finally logged into his own iCloud account and turned on Find My Mac, the computer was nice enough to tell him my full name.
Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent OS X update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you.
Whether this is a one-time issue, an old issue that as since been fixed, or a lingering problem remains to be seen. Of course, it seems to be contingent upon several different factors, such as the buyer not signing into iCloud, which likely eliminates the vast majority of cases where Macs are sold in the resell market.
In theory, it makes sense that the ‘Find My’ location can only be disabled by an account holder, and it almost seems that something went wrong in the restore process of the iMac, or it wasn’t completed to the very end.
Have you ever noticed something like this? Let us know down in the comments and read Mulligan’s full Medium post right here.