This exploit assumes Eve has knowledge of the factorization of N and can eaves drop on communications between Alice and Bob

1 Eve records the username sent by Alice in step 1
2 Eve records the salt and nonce Bob sends back
3 Eve records the IV for the ciphertext blob Alice sends in step 6
4 Eve can find x|nonce from the IV (g^(x|nonce)) because she knows the value of phi(N) from the factorization of N
5 Eve strips away the known values for username, salt, and nonce from x|nonce and gets Alice's password.