GRAU DATA Blocky before 3.1 stores passwords encrypted rather than hashed. At the login screen, the users password is compared to the users decrypted cleartext password. An attacker with Windows admin or debugging rights can therefore steal the users Blocky password and from there impersonate that local user.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.