The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole.
And again, since it's open to the world and its IP is well known, this is scary.
So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct?
I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.
That was a good addition, thanks.