I happened to read this recent blog post on Holden's blog. According to him, Yahoo! Zimbra desktop main client exposes username, password information in plain text. He has discovered this flaw during a Yahoo! 'hacku' day at the University of Waterloo. The following image which was found on the same blog shows how Zimbra sending authentication information in plain text could be observed on Wireshark.