a user security hole in mindterm's ssh 2 applet

[Adler, Stephen]

Guys,

Some colleagues of mine who work at Brookhave National Laboratory, have
discovered a rather ugly user enabled security hole in the mindterm
applet. Here's the hole.

If you download the signed applet via a web browser, then select
the "save password" option, then not enter in a password to
password protect your .mlp file and then proceed to log into
a system, your password, username and remote host you logged into
are stored on your local host. If someone comes in and uses the
local host and downloads the signed applet, he/she can then log
into your remote host, under your account without knowing your
password.

I believe the developers of this latest version of mindterm assumed
that if you're prompted for a password to encrypt the file which will
store the passwords, then the user would enter in the password. But
the fact that it leaves open the option to not enter in a password
which in turn then leaves your system with a way of logging into
a system without knowing the password or having to enter in a
password to decrypt the saved password file is bad security design.

I don't know how to reach the mindterm developers, but it would be good
to find a way to close this hole, either by setting up some way of
disabling the saving of passwords, or forcing the user to enter in
a password to encrypt the local password file.

Am I explaining the security hole properly? do people understand what
I'm talking about?

Is this an issue which has come up on the mailing lists? I have done
a quick search but have not found this topic brought up.

Cheers. Steve.