It’s kind of sad that Firefox is so much more secure than Internet Explorer in so many ways, but the feature that saves passwords leaves access to your data wide open.
If you are an administrator or you have direct access to a Firefox users’ PC, you can grab their passwords and transfer them over to your computer very easily. The file holding all the data is the SIGNONS.TXT file. This holds all saved usernames and passwords for each firefox profile. You can find the file at:
C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\Profile Folder
The file is encrypted, but if you also take the KEY3.DB file from the same directory and put it on your computer you can use the Firefox browser on your computer to access all of the sites of the hacked user. Just place the files in the same location (be sure to backup your copies first).
You can also view the passwords in Firefox at:
TOOLS–>OPTIONS–>PRIVACY and click on the VIEW SAVED PASSWORS button. Then choose SHOW PASSWORDS.
Protect yourself from this vulnerability:
This article applies to Mozilla Firefox 1.5x