And if all authentication is done client-side with javascript, the attacker could steal your private key and use it to attack other sites.