Vine Server Security Exploit and Leopard Incompatibility [unsolved]

I’m not happy with Leopard’s built in VNC server – no clients can seem to connect to it. Some clients can connect if you set the color settings to full color or automatic color, but then it’s slow and unresponsive.
So I was surfing around for free OS X VNC servers and tried vine server:
OS X Vine Server (formerly osxvnc)
When you launch the app, the server starts immediately with no password protection. I did set a password, and it worked decently. Then I tried launching the server as a system service, and the application crashed. It would neither force quit nor respond so I just left it alone.
Then, this morning, I saw someone connect and move my mouse around. The computer would “wake up” when they connected and they tried to go to the address bar in safari and double clicked. I immediately unplugged the ethernet and rebooted, and then uninstalled the program.
I wrote about the bug here:
Vine Server Security Exploit
I’m not sure if this is a bug similar to RealVNC’s authentication vulnerability or if the combination leopard incompatibility / default blank password bug was the problem, but in any case I recommend NOT using this program until this is fixed.

This is the second time I’ve personally been hacked via VNC. The first was in a different part of the country, two years ago, on a PC using the RealVNC exploit. Clearly people have VNC scanners and search for open computers. I recommend NOT using the default port 5900, and testing your computer thoroughly for security.

I’m still looking for a good free remote desktop app for OS X. I like timbuktu but hate having to install the client everywhere. They should really make a web based client for it.

Trackback this Post | Feed on comments to this Post

Leave a Reply

You must be logged in to post a comment.