They pretty heavily fumbled exactly this heartbleed response too. They claimed they "weren't vulnerable" because of this setup but they clearly were. If you exfiltrated an SSL key, which heartbleed allowed, you can serve whatever JS (including JS that just explicitly exfiltrated your passphrase) you wanted to end users.
LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.
LastPass is full of clowns. There's already two examples of their cavalier approach to what should be simple security in this thread and I'm pretty sure there are more.