Applets that perform JDBC database operations in an untrusted environment can compromise database credentials.
By default, Java Applets are allowed to open database connections back to the server from which they are downloaded. In trusted environments, this is acceptable, however, in untrusted environments attackers could use the Applet to discover database credentials and ultimately gain access to the database directly.
Example 1: The following code shows a hardcoded database password being used in an applet.
public class CustomerServiceApplet extends JApplet
{
public void paint(Graphics g)
{
...
conn = DriverManager.getConnection ("jdbc:mysql://db.example.com/customerDB", "csr", "p4ssw0rd");
...
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 305
[2] JDBC Guide: Getting Started - Security Considerations Sun Microsystems, Inc.