Comment 6 for bug 1620323

This isn't really a security issue, it is how URLs work. The value specified before the "@" is considered to be the username. See RFC 3986. (https://www.ietf.org/rfc/rfc3986.txt)

That being said, while Chrome simply allows the username, firefox does display a warning to the user.