At that step, GUIDs were exchanged, already.
When making session key, server only checks its own GUID at first and client's GUID is not used.
Despite of this, client sends its GUID and server's GUID.
Also, I think that GUIDs were already exposed because they had been transferred as a plaintext.
If attacker tries to exchange master key with real client's GUID earlier than that client, then, I think that attacker can obtain a master key of a real client and that client may have a problem.
I want to know others' thought.
Thank you for reading.