The problem is that Kano hasn't been offered a job yet.

Maybe DeviceVM should offer him one...he found this security flaw in their software, so he deserves a job.

But OT, things like this need to be fixed fast and an update made available.

127.0.0.1

That screen shot showed the localhost IP address. Is this port also open to the outside world?

When you would click on the thread I created then you would know more. In it I tested 2 versions 1.2.3.1 (I guess any older will have it too) does not block this port from outside. 1.2.8.0 fixed that issue (no idea which versions between those 2 are affected). Well that fix is basically only partly because on a Windows system there are always files at standard postition like the Windows registry. I could have added links for that too, but I am sure you get the idea yourself, that you only have to exploit a firefox error with cross-site scripting (XSS) that downloads the user registry, parses it (for example with ctntpw), gets all MRU files from registry, all plaintext serials, login data and lots of other info. Then you can fetch all recently used files on C: partition or on the partition you installed it as you can create full url. This works of course locally too, very informative for business pcs which have been set to boot first from hd but allow splashtop, preferred the "lite" variant from hd.

Edit: Maybe I forgot to mention that the discovered link to the winhdd is not use by any splashtop app, so only the external link would have been enough. When you know that, then this fault is even more serious. That winhdd link is from va-photo.sqx.