All the accounting information of KDE's KMail is stored in the file .kde/share/config/kmailrc where an entry named passwd can be found. This entry points to the encrypted POP3 password. Everything will be perfect if it were not completely trivial to recover it because of the lack of a good encryption algorithm. In fact, they use the following one:

 E(c)=ASCII(287-ASCII(c))

For example,

 E(?)=ASCII(287-ASCII(?))=ASCII(287-241)=ASCII(46)=.

 E(kde)=E(k)E(d)E(e)=ASCII(287-ASCII(k))ASCII(287-ASCII(d))ASCII(287-ASCII(e))=
       =ASCII(287-107)ASCII(287-100)ASCII(287-101)=
       =ASCII(180)ASCII(187)ASCII(186)
       =?"?

Obviously, this is vulnerability is quite serious, despite the fact that KMail does not store POP3 passwords by default, and the user has to check the "Store password in configuration file" option for that to happen. Looking at the scrambling algorithm, it is recommended not to use this option.

There is also another problem in KMail that is somehow related with this: when deleting a user account, all the information of this user, including the poorly encrypted password, stays in the configuration file. This makes the menace of this vulnerability even bigger.