

Security Analysis of Web-based Password Managers [pdf] - tinco
http://devd.me/papers/pwdmgr-usenix14.pdf

======
tinco
tl;dr is that among 4 other LastPass had some serious security flaws last
year. An attacker could, if they had control over the website the victim was
browsing, read any password from the database by exploiting the bookmarklet.

The issue was resolved by hosting the encryption key in an iframe and
communicating requests via postMessage.

