At least same versions of Splashtop are not as save as they want to be. Especially when only the HD install variant was used. In case of affected versions like 18.104.22.168 you can access all USB media and the Windows partition used to install Splashtop completely! To verify if your version is affected try:
There you can access - without any mod - all files via
For your fun you find even a music.mp3 file there
If your system is directly connected to internet (maybe using DSL dialin within Splashtop or via cable modem) all others can enjoy the content of your hd!
Btw. newer Splashtop version only block the webserver listing, but when you know the name, you still can access the data when you know the deep link. Luckyly they blocked access from outside then - at least 22.214.171.124 fixes it. But it is still possible to aquire the registry or other system files and save em onto USB stick without any mod. That means you can access user data like serials and other data which is stored there. Very nice feature to have Splashtop available to hack pcs without the need of any bootable media
The affected package is bs-apache.sqx.
Edit: I would like to know from a Splashtop developer (maybe via the blog), why the winhdd link is there (take a look into va-photo.sqx) when it is not used by any app. Only this makes a big issue from that error. You are able to view/save files which you can not even access when Win is booted - like the registry.