I couldn't find a security contact at telerik so opening a new threat here. Sorry if it's already discussed or resolved.
As I bloged at http://blog.jpcert.or.jp/2015/05/fiddler-cores-insecure-default-flag-may-lead-to-open-proxy-issue.html
The the expected behaviour of FiddlerCoreStartupFlags.Default seems to be different from what it should be because AllowRemoteClients is false under the default configuration of the stand alone Fiddler application. Because setting the flag to 'Default' is recommended in the developer manual, many developer could use the flag without understanding the possibility of 'Open Proxy' issue.
It would be nice if FiddlerCoreStartupFlags.Default is changed so that AllowRemoteClients is toggled off by default.