Client side password hashing with exposed salt word – did I find a breach?


I downloaded a software that has a login interface. It’s a $ 100 a month subscription software.

I disassembled the software and found that passwords are being sent by combining them with a hard coded “salt” that everyone can see in the source code (is it really “salt” if it’s the same for everyone?), encrypting them with MD5 and sending the hash to the server.

I hope that the passwords are encrypted again on the server side with unique salts to every user, but even if they do, isn’t this a breach? Can’t an attacker sniff the passwords easily, or do a send-the-hash attack?