When buying a used Apple computer, make sure the previous owner has signed out of iCloud. If not, he or she might be able to keep tabs on the old device.

Google product manager Brenden Mulligan found this out the hard way. As he writes in a Medium post, Mulligan sold an iMac on Craigslist three years ago. But he still has access to the computer via Apple's Find My iPhone feature because the person he sold the system to never actually tried to use iCloud.

"So this crazy thing happened recently with an old Mac I sold on Craigslist a few years ago. I noticed it was still showing up in my Find My iPhone app. Well, at first I didn't realize it was that particular Mac. I just happened to notice there was a computer I didn't recognize in Find My iPhone called 'Michael's iMac,' he writes.

"I clicked in and saw a computer that wasn't mine showing up on a map about 100 miles north of my house. I vaguely remembered selling an iMac on Craigslist 3 years ago, and figured that was this one. Then I realized that meant for over 3 years, I had access to this person's exact location. That's insane to me."

Since the system was still registered to his iCloud account, Mulligan could have it play a sound at any point, lock down the computer entirely, or erase its contents—all powers you probably don't want a system's former owner to have. That's in addition to the aforementioned location tracking.

These features can be useful under the right circumstances. In this case, Mulligan got in touch with the computer's buyer—and got the owner to activate his own iCloud account on the iMac—by locking the computer remotely and putting in his own phone number as part of the message that's shown for anyone trying to log into the system.

"Overall, this seems like a massive privacy / security flaw. Maybe Apple has patched this in a more recent OS X update. Again, I sold this computer 3 years ago. But just in case, if you sell a computer, turn off Find My Mac BEFORE wiping it. And if you buy a computer, immediately sign into iCloud so there's no chance the seller can track you," Mulligan writes.

As Apple notes, you can also remove devices from your iCloud account that you no longer have access to by hitting up Settings on icloud.com, clicking on a device you want to disassociate, and clicking the big "x" delete button next to any devices you no longer have access to. It's unclear if Mulligan attempted that approach, but his advice still stands for buyers, at least—sign into iCloud yourself to confirm that your seller isn't keeping tabs on where you are.

Further Reading

Desktop PC Reviews