I failed to send this to Mitchell Baker as I could not locate an email address for her that worked.
I am a retired but very much faithful Mozilla user since its Netscape inception that today discovered a security flaw in Firefox that has slipped by everyone, probably in the name of user friendliness. I could not sleep with this on my mind! It took me some time to find your contact info but I felt that it needs to go to the top so that it does not get swept under the rug.
I discovered this because Firefox inadvertently signed me into my bank account. Firefox knew my password! I never knowingly give my "serious" passwords to any system other than in sign-ins. Further, I never write down on a system or on paper any password. Passwords on systems must always be one way; in Linux or Unix the user cannot see their own password nor can the root user see it, they can change it but not see it.
In Firefox/Settings/Privacy&Security/Logins&Passwords/SavedLogins is a listing of all the accounts that I frequent along with their viewable clear text passwords! To see this someone would have to get access to my computer, laptop, Android tablet, iPad, Raspberry Pi, etc which are all synced (user friendly). But there are my passwords available in clear text! During my 50+ years dealing with system issues I fought naive security issues like this.
I trust that you understand this problem and will have it quietly and securely dealt with. I trust and love your products.
Carl E. Køhn