The bug is straightforward: RSA implementations don't verify all the bits in the padding, but rather "parse" it to find the digest, and then verify that. But there are, of course, bajillions of potential padded signature block representations that contain any given digest, since the block is so much bigger than the digest. For e=3, and for particularly naive implementations (like Firefox's, at the time) you can almost literally just formulate the signature block you want, then take its cube root to forge a signature.
Sorry to disapoint I did not do all the cryptopals :P filippo actually has a good blogpost on that attack IIRC.
(There are some set-7 problems I haven't done yet, for whatever that's worth. But e=3 sigs are a big one!)