Are you using the old RealVNC bug that allows the password to be bypassed by ignoring what authentication methods the server advertises and using "none", or only hitting stuff that actually says it supports connecting without a password?
The latter. We didn't know about that bug until now, but we'll probably keep it this way so connections work with any VNC client people might have lying around.
I thought you could possibly be exploiting the bug unintentionally - a hacked together client that just attempts to connect with null auth would do it. Not sure how common that vuln is.
