A Google employee has taken to Medium today to describe how he sold an iMac on Craigslist, but has had access to its location for the last 3 years. In the post, Brenden Mulligan explains that he erased the computer and did a clean install of macOS before selling it, but that it has remained on his Find My iPhone account since he sold it…

It wasn’t until recently that Mulligan realized the device was still on his Find My iPhone device list. He explains that he noticed a device called “Michael’s iMac” on his account, located about 100 miles away from his home address.

Mulligan says that the user who bought the computer from him on Craigslist didn’t log into their own iCloud account, thus Apple still associates the hardware with his account. Even though he erased macOS before selling it, it was “still associated” with his account, allowing him to track the location “in real-time.”

I clicked in and saw a computer that wasn’t mine showing up on a map about 100 miles north of my house.

He explains that this doesn’t pose much of a security risk for the seller, but it exposes the buyer’s location indefinitely. Of course, for an iMac like this instance, that’s not a huge deal as iMacs are generally stationary. Should this have been a MacBook, however, Mulligan would have been able to track the buyer for three years.

Additionally, Mulligan still has the ability to “Play Sound,” “Lock,” and “Erase Mac” via iCloud. This means he could prevent the buyer from doing anything on the iMac, three years later.

Resolving this problem is relatively simple, as the buyer simply has to sign-in to their own iCloud account:

Whether this is a one-time issue, an old issue that as since been fixed, or a lingering problem remains to be seen. Of course, it seems to be contingent upon several different factors, such as the buyer not signing into iCloud, which likely eliminates the vast majority of cases where Macs are sold in the resell market.

Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent OS X update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there’s no chance the seller can track you.

In theory, it makes sense that the ‘Find My’ location can only be disabled by an account holder, and it almost seems that something went wrong in the restore process of the iMac, or it wasn’t completed to the very end.

Have you ever noticed something like this? Let us know down in the comments and read Mulligan’s full Medium post right here.