I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check?
What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly.
And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat.
If a hacker has ALREADY gotten your main account password once to get in the account in the first place, having to type it AGAIN is no additional security at all. This only prevents somebody physically in front of your keyboard from ripping you off.
This is absolutely a concern and why a withdrawal verification/unfreeze password shouldn't enable the LOCAL CLIENT/SERVER do something, it should be COMBINED WITH SOMETHING PERVIOUSLY PUT ON BLOCKCHAIN that is processed by THE REMOTE SERVER PROCESSING THE BLOCK to enable the withdrawal. The latter is MUCH MORE SECURE.
The first time a local client is hacked in NXT (and you should assume this WILL happen) then NXT has a HUGE PR problem....