LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections.