What is the added benefit of sending MD5 hashes instead of plain-text passwords? I mean, the MD5 hash will be the same for the same password, isn't it?
I hope that Yahoo has implemented something more complicated that that, otherwise it is plain pointless.
Take a closer look at how it's being used. The client isn't just sending a MD5 hash of the password -- there's a challenge/response system being used.
PGP.sig
Description: This is a digitally signed message part
