An app such as kuroo or klamav, which runs under kdesu --nonewdcop is left in the systray at logout. On next login, the app now connects with root's dcop server instead of the user's. This means that any e.g. links accessed from within the app run as root thus allowing an effective priviledge escalation beyond that needed for the app - as well as being a bloody nuisance.
Created attachment 87795 [details]
shows, I hope the effect of clicking a link in kuroo
This is `dcop` as root :
possum brian # dcop
possum brian #
Have you reported this to the KDE folks?
Please, report this upstream and post the URL here for tracking.