What are the security ramifications of using the Externalizable interface?

Govind Seshadri

The methods within the Externalizable interface, readExternal() and writeExternal() have public scope. This implies some client object could potentially bypass the Java sandbox mechanisms and overwrite or gain access to the state of an externalizable object.

As a general rule of thumb, a class should implement the Externalizable interface only if the object contains nonsensistive information.