Almost as if commingling trusted and untrusted code in the same execution environment, separated by only the thinnest of barriers, might result in mistakes being made.
LastPass is a joke. Using them at this point is digging your own grave.
Nice statement. Can you back it up? Is it due to this XSS vulnerability? Or is it broader than that. Do you have alternatives one should look into?
LastPass has a long history of poor security. This is the second one I’m aware of this year. I can think of two or three other instances over the years and it would be easy to find details about them on Google.
Regarding alternatives: never use cloud-based password managers. Use KeePass, pass or something like that and only synchronize the ciphertext.
I wonder if Chromium devs are taking all these bugs as indicators that the current state of coding “secure” extensions is pitiful, I’d argue this is partially because of the lack of documentation on how to do things right (like Tavis' explanation on how you have to declare the trusted variable…Who would have known that?).