The Single Sign-On (SSO) is an authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. The Chang and Lee proposed a new SSO scheme and claimed its security by providing well-organized security arguments. Their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, it presents two impersonation attacks. The first attack allows malicious service provider has successfully communicated with a user twice, to recover the credential of a user and then to impersonate the user to access resources and services offered by other service providers.