If you mean using the browser or OS password mechanism, then sure, if you're logged in as the user you can access their secrets.
But this doesn't should not be true for "remember me" cookies. Those just need some identifier.
At any rate, you still need "talent": to know where the person is, when they're going for coffee, ability to access their machine without bystanders asking questions, etc.
If you control any firewall or router along the way you can inject iframes which retrieve any url you like and run script in the same-origin context. Except for "https only" sites, but note that Microsoft helpfully provides the government of Tunisia with a trusted root CA in their products. Try https://www.certification.tn/ . I wonder if it's a code-signing cert?
> Microsoft helpfully provides the government of Tunisia with a trusted root CA in their products
Isn't this rather huge news? Why did they do this sort of downgrading hackery when they could do a more elegant (and slightly more transparent) man in the middle?
A) It's better to avoid using your capability even if you have it.
B) Probably a lot of users prefer Mozilla, though it may defer to the system store on Windows anyway, I'm not sure.
C) For the same reasons it's a pain for FB to use https everywhere, it's a pain for Tunisia to set up SSL interception on their outbound connections. There are certainly off-the-shelf boxes which can do it though.
If you have access to a Windows machine, visit http://bit.ly/eWYRbA in IE then check your personal cert store for Agence Nationale de Certification Electronique
By very easy I mean it requires almost no talent.
Long time back (even)I wrote a script to grab password and username using DOM and JavaScript.