Yesterday, a Google employee took to Medium to describe how he unknowingly had access to the location of an iMac he sold three years ago on Craigslist.
Brenden Mulligan explained that he fully erased the machine and performed a clean install of OS X before selling the machine. However, the machine remained on Mulligan’s Find My iPhone account ever since.
It wasn’t until a few days ago when he realized that the device was still listed in Find My iPhone and was able to locate the iMac from 100 miles away. Mulligan said that the new owner of the machine never logged into their own iCloud account, so the iMac was still associated with his iCloud account.
“For whatever reason, this person didn’t need to sign into iCloud. So this meant that Apple still associated the computer hardware with my iCloud account. The computer wasn’t logged into my iCloud account but was still associated with my account, so I still could track the computer’s location in real-time.”
This doesn’t expose much of a security risk for the seller, however, the buyer’s location is definitely exposed. In addition to the location, the seller would also have access to “Play Sound,” “Lock,” and “Erase Mac” via iCloud.
If you are a user of a used Mac, you can resolve this security issue by signing into your own iCloud account.