Screen sharing security problem?

[macfelix]

Today I've enabled screen sharing on my iMac for two accounts: the administrator account and a restricted user account.
Now it is possible to start screen sharing from a different machine using the restricted user. The big problem I see is, that starting screen sharing using the restricted user is even possible if the administrator is currently logged in and working on the machine/having the screen not locked.
In this case the restricted user can start a screen sharing session and work with the administrator account on the target machine. Ok, if the administrator is sitting in front of the machine, he would detect what's going on, but the restricted user may be able to watch the administrators screen without getting detected.
I think when a user tries to start a screen sharing session, the user in front of the machine should see a big hint so that he has the chance to decline the connection attempt.
Or better, when a user starts a screen sharing session he should see his remote desktop with his privileges (and not the screen of the currently logged in user).
Am I right that this is a security problem or am I a little bit to paranoid?

Felix

 

[JNB]

BTMM doesn't log you in as a different user, but by design, you will see whatever session the currently logged-in (hosting) user is. That's the point of it. I think there is some confusion in that it's not simply a copy of MSTSC, but a different type of remote desktop. It has the potential for a security risk, but then so does any RD-type connection. I don't see it as a flaw, really.