… thought it was worth starting a new thread
lastpass cross scripting vulnerability revealed:
http://www.theregister.co.uk/2011/03/01/password_management_site_xss_bug/
https://grepular.com/LastPass_Vulnerability_Exposes_Account_Details
forum thread:
http://forums.lastpass.com/viewtopic.php?f=12&t=60559
lastpass response:
http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
http://blog.lastpass.com/2011/03/content-security-policy-csp-implemented.html
… I guess - if we don’t take LP recent fixes into account - people using FF NoScript on any FF version or simply using FF4 (CSP implementation https://wiki.mozilla.org/Security/CSP/Specification ) are protected.
edit: to make things clear if needed, the issue obviously only exists or may exist when you login to your LastPass account directly on LastPass website, not when using the browser plugin.