Anyone remember Gator?
Oh, how naiive we all were. At least I uninstalled Gator when it moved to spamware (hey, I was a teenager).
I though LastPass was user encrypted, like even Last Pass couldn't unencrypt the data without your password. But if that's the case, why/how does the plugin expose anything to a website? Shouldn' all data go from webpage to plugin? All the plugin has to do is fill out fields, right? What possible reason is there for even including functionality a web page can manipulate?
Here's the process I see:
Plugin grabs URL from browser.
Plugin scans rendered HTML for fields.
Plugin prompts user to fill fields.(important, especially for hidden fields!!!)
User fills fields.
End of Transaction.
The fact that "1min-ui-prod.service.lastpass.com" exposed this issue makes me think it was used by LastPass as some sort of backdoor (oh, I'm sure they'll claim it was a test server they never meant to be released to public). But still, in the end, if they're trying to be legitimate, what possible reason is there for LastPass to be controllable by a webpage?