Is it possible for hackers to steal password stored in your browser?

If a hacker gains administrative access to your computer, he can certainly steal the passwords stored in the browser. That is one of the good reasons why you shouldn't store high-sensitive passwords in the browser.

Remember that the browser must be able to decrypt your password into clear-text, in order to be able to submit it for you automatically when you wish to gain access to a site. This is what makes the browser the most vulnerable. In many other systems (including the Windows passwords), the actual passwords are not stored, but instead a one-way hash of the actual password, making it practically impossible to revert the stored value to the actual clear-text password.


About the source code part:

There is a debate about it. Some people like the idea of so called "security through obscurity". The core of that idea is that the bad guy doesn't know how system he is attacking works. So in case of browsers that means that he wouldn't have access to source code. In a perfect system, security through obscurity would make a system safer. Unfortunately browsers aren't perfect enough for that. Usually there are bugs which go unnoticed by development team and which may be exploited.

That's why open source browsers like Firefox for example use another security doctrine. Their developers believe that source code should be public. This will allow attackers to know how browser works, but on the other side it will allow security researchers to find bugs and report them so that developers may fix them. The idea is to make a browser so safe that it has no vulnerable places which crackers can exploit. If there are no vulnerabilities, the fact that crackers know how browser works does not help them.