The bug has been found on the browser extensions of Chrome and Firefox. There is good news that chrome extension bug has been patched but Firefox extension remains open, putting all users at risk.
"This allows complete access to internal privileged LastPass RPC commands," the researcher said. "There are hundreds of internal LastPass RPCs, but the obviously bad ones are things copying and filling in passwords (copypass, fillform, etc)."
I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud— Tavis Ormandy (@taviso) March 21, 2017