I work for Mozilla on Firefox and I just wanted to respond to some of the claims being made here. We've opened up the bug so that others can take a look (bug 570658), but there is not much to see, here. The bug says that:
1) if you visit a page that uses an iframe
2) and that iframe's src attribute uses a deceptive url (e.g. "http://email@example.com")
3) then we don't pop up a warning that the url is deceptive
What's odd about the bug is that there is very little value to step 2 - only someone examining the page's source would notice the iframe's src attribute, so it's not clear to me where the deception is supposed to come in. A genuinely malicious page would source their attack iframes directly, unless they thought that this deceptive url might fool our phishing/malware protection. It won't.
If someone thinks we're overlooking an attack vector here, we're really interested to hear it, but as described the attack feels pretty weak.
If you think we're missing something critical, please do comment in the bug or get in touch with our security group ( http://www.mozilla.org/security/ ).