There is a vulnerability that can allow a user to gain internet access using an empty username in some circumstances. Everyone is advised to update their auth server to revision 1304, which fixes the vulnerability.