CBC-MAC weakness?

From: Will Dickson (wrd_at_glaurung.demon.co.uk)
Date: 06/24/03

Date: Tue, 24 Jun 2003 00:36:54 +0100

I'm looking at using CBC-MAC in an application; since it's using CBC
mode anyway, CBC-MAC is more-or-less free in the context. (Performance
is important; I don't want to use eg. HMAC because the hashing
overhead involved would be a significant issue.)

Applied Crypto says this about CBC-MAC:

"The potential security problem with this method is that [the attacker
can] generate messages with the same hash value as a given message by
decrypting in the reverse direction."

I can understand why this is an undesirable property on general
principles - clearly you don't want the attacker to be able to do
anything - but I can't see a situation where this would actually be a
threat. Could somebody give me / point me to an example?