The bug if exploited would have allowed a third-party to extract passwords from users visiting a malicious website.All bugs were discovered by Tavis Ormandy, a security researcher working for Google’s Project Zero.
The vulnerability affecting the LastPass Chrome extension can be exploited by attacking an intermediary JS script that stands between the user’s browser and the LastPass cloud service, where the company stores user passwords.LastPass users are exposed to simple attack vectors, as attackers can host the weaponized code as a regular JS script on a website.
One bug affected the LastPass for Chrome extension, while the other two affected the company’s Firefox add-on.Just like the Chrome extension issue, the exploitation vector for these two issues is malicious JavaScript code that can be hidden in any online website, owned by the attacker or via a compromised legitimate site.
[Source]
