Comment 3 for bug 1447679

You are correct that a user who has the authentication token can gain access to the console. Whether or not that provides you useful access to the guest depends on whether or not there is still a logged in session there.

Because the token is present in the URL, which is something I'm not sure we can workaround due to how authentication is handled for websocket access, it would be best to offer that service over https to discourage network sniffing or web proxy logging. So outside of browser history or the ability to sniff a network I don't see a vulnerability here. And I'll have to defer to someone with more knowledge on the console sessions themselves to provide input on ways to further secure them.