tl;dr is that among 4 other LastPass had some serious security flaws last year. An attacker could, if they had control over the website the victim was browsing, read any password from the database by exploiting the bookmarklet.

The issue was resolved by hosting the encryption key in an iframe and communicating requests via postMessage.