The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole.
And again, since it's open to the world and its IP is well known, this is scary.
So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct?
Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?
We should focus on finding out how his account was hacked. It is not likely to be a remote exploitable hole exactly because it was not a big public node. I mine on a machine with a public IP that is on almost all the time with an account of a few million, why wasn't I attacked? I just don't think it is a remote exploit at work here. More likely something in his browser or computer. A javascript cross-site scripting exploit? Was he browsing any other sites at the moment, possibly Nxt - related?