A security loophole at online finance site moneyextra has left the financial details of its users open for public viewing.
The flaw in moneyextra's site exposes a user's log in name and password. It means that if a moneyextra customer accesses the service on a shared computer - at work or at an internet café or library - anyone who subsequently sits down at that computer would have access to their entire financial portfolio.
Moneyextra user Geoff Bowen discovered the flaw while checking his online portfolio.
"I was shocked that such a big company is enabling potential hackers to easily access users' personal details by simply looking at their history," he said.
Mr Bowen, the managing director of internet services company X-line, said that passing on a user's log in details through a URL, or internet address, is one of the most common security flaws around.
"They really should have known better," he added.
The areas of the site accessible by the password include a file which, depending on how a user has set it up, could display credit card, banking, mortgage and share details.
Even if users choose the high security option - which forces customers to enter a username and password every time the site is accessed - the username and password would be visible in the web browser's history.
The details are clearly identifiable, in plain text, in the address field of Internet Explorer browsers.
The flaw does not appear to affect users of Netscape.
Moneyextra acknowledged that user profiles should not be visible in this way.
"It was on high security? Bloody hell," said the deputy web producer, Damian Vincent. "It's because we are doing the URL in http rather than in secure https. Http is standard level security, but https is encrypted and secure."
Andy Pratt, the programme and IT director at moneyextra, said the problem would be corrected within two weeks with the launch of a new portfolio service. He added that all transactional services on moneyextra, such as online share dealing, already operate under a separate and encrypted security system.
Useful links
