When searching stored logins by typing into the search bar on about:logins, matching logins are displayed not only if the text typed in occurs in the domain or user name, but also if it occurs in the stored password. This provides bad actors easy access to a user's login data.
The only guard against this is that the master password needs to be entered at some point during the session, but not upon opening about:logins or before performing the search.
