bip32 hd wallets – How can a hacker steal funds received in the future when there is only xpub on the server?
For websites selling goods in Bitcoin, it is common practice to use xPub to obtain a new address for each customer. This has two benefits: 1) Using a new address protects the seller’s privacy because funds become more difficult to track. 2) Each individual order includes your Bitcoin address as a unique identifier, making order processing much easier.
It is true that even if xPub were leaked, hackers would not be able to use any of the funds. However, he can see addresses created in the past and future and can monitor all traffic in the wallet.
If a website is hacked, there are ways for hackers to steal Bitcoin for the seller. For example, a hacker can change a website’s xPub to their own, so all future transactions will be made from the hacker’s wallet instead of the seller. What the book points out is that in the case of a hack, xPub makes it impossible to steal bitcoins sent before the hack.