Two key Microsoft technologies have been hit by new vulnerabilities, potentially exposing users' financial details.

According to a contributor to the open security industry mailing list Full Disclosure, a flaw in Microsoft's Passport system exposed users' personal information, including financial details in some cases.

Used by millions, Passport allows users to log-in to multiple websites with one set of data.

The flaw would allow a hacker who knew a user's name to pretend to have forgotten their password, request a change and redirect the automated email to their own account, instead of to the intended recipient.

This is possible because the URL of the web page generated by the password request contains both the target address and the address to which the new password should be sent.

Microsoft explained that the flaw was fixed within four hours and criticised the contributor for posting to an open forum before contacting the company, thereby putting millions of users' details at risk.

The contributor insisted that Microsoft had been contacted about the problems, but the software giant claimed to have no record of the warning.

"All Passport accounts are now safe," said Simon Conant, Microsoft's security programme manager.

"We're going full speed to get this sorted out completely as fast as possible. A minuscule number of people won't be able to get into their accounts and should contact us, but even then their accounts are secure."

Further details can be found at the Microsoft security website here.

The company has also warned of a critical flaw in Windows Media Player 7.1 and 8.0, but not in the latest version 9.0.

The flaw could allow someone to create malware masquerading as a Media Player skin and place it on a target's system. A patch for both versions is available here.