It's possible to proxy untrusted messages to LastPass 4.1.42 due to a bug, allowing websites to access internal privileged RPCs (Remote Procedure Calls).

There are a lot of RPCs, allowing complete control of the LastPass extension, including stealing passwords.

If you have the "Binary Component" installed, this even allows arbitrary code execution. Full details here.

Click the button below to run calc.exe (This demo is Windows w/Chrome only, but other platforms and browsers are affected).