Security proof is a key criterion to judge the satisfaction of the security requirements in a protocol. Recently, Chang et al. proposed a password-based three-party key exchange protocol without server's public key. The security goal of the proposed protocol is to eliminate various security threats. In this paper, we show that the proposed protocol is still suffered from the denial of service and the man-in-the-middle attacks. We also prove that the probability of an adversary breaking the AKE security of the protocol is non-negligible in the random oracle model.