The fix for issue 1209 was to prevent loading the special domain `1min-ui-prod.service.lastpass.com`. This works in Chrome, but FireFox loads content scripts into error pages, allowing a similar vulnerability to be exploited.
The list of procedure calls available is completely different, but I noticed that the procedure `ResetScript` will load an arbitrary URL, and then run arbitrary script in it.
This is effectively a UXSS, allowing anyone to compromise any website. But...because the URL being opened is from an extension, it can open non-websafe URLS, e.g. resource://support-at-lastpass-dot-com/data/vault.html. This allows a simple demo where your password can be read back from the vault, e.g.:
+ 'throw 1;'
I uploaded a demo version here (this URL is secret):
It reliably alert()s the password for a random site in my vault.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.