Any website* [see ETA below] can be set up to allow access to your Lastpass vault without a hacker knowing or using your Lastpass Master Password. Mr. L33t "Are people really using this Lastpass thing?" Hakkor here indicates hackers can go in and delete your existing passwords without your knowledge or permission. Yes, I'm grateful he found this bug, but no, he doesn't need to be a total asswipe about it.
But the latest Lastpass "fix" version ALSO has a bug (at least in Firefox latest on Win10 Pro) that I just found.
If this is your setup then set a "don't re-prompt" flag (for Master Password entry) IMMEDIATELY or Lastpass won't work. ETA2: you can take anything between this and the next ETA under advisement, but I haven't been able to repeat the success I had in further attempts after posting.
This isn't the most fun (ETAnth: and wow, I really wasn't kidding; what a mess) I'll ever have writing about Lastpass. I wasn't going to post anything until I saw news of the zero day flaw and installed Lastpass's "fix" version, only to run into this problem on the first site (Dreamwidth) that I tried to log into.
OK, so say that, like me, you've set Lastpass to make you type in a Master Password before you log into a website, then once it gets your Master Password, that it autofills your username and password for you.
With the new "fix" version, if you don't check "don't re-prompt" and select a time frame (I selected 24 hours) Lastpass WILL NOT autofill your username or password (or it will, but somehow the login will still fail with a "wrong password" message and then the form fields will return blanked out; see ETAs below).
A question I have: are the blank form fields and the re-prompt on infinite loop? I'm not sure, but after Dreamwidth warned me I'd be booted for too many log-in attempts (because a blank field somehow equals a wrong password, in this case?) after four tries I gave up trying to do it the right way and went for the "don't re-prompt" box. Luckily my first instinct as to what was wrong was right.
tl;dr ad infinitum, dudes
Fix the latest Lastpass bug with this new version of Lastpass;
if you have Lastpass set to prompt for Master Password before you log into each website, then before you log in, check the "don't re-prompt" box and select a timeframe, or you won't be able to log in - the form fields will NOT be autofilled and Lastpass will simply re-prompt for your Master Password in a seemingly (and quite possibly) endless loop.
ETA1: while Lastpass writes that pulling off the zero-day flaw would "require tricking a user via a phishing attack into going to a malicious website", the bug-finder says no, that's not true: any website can insert malicious code to view, modify, delete or steal the contents of your Lastpass vault.
ETA2a: The above fix worked on a newer tablet running Windows 10 but does not work on an older HP laptop I've been using since posting about this. Logging into Dreamwidth on the latter, the form fields are, in fact, being auto-filled, but are erased after log-in should occur. The log-in then fails with the "wrong password" message from Dreamwidth. Setting the "don't re-prompt" flag changes nothing; it was just rinse and repeat until my IP got banned for too many attempts. On my final retry I went into the Vault and copied/pasted my password directly into the form field.
Which puts my plaintext Dreamwidth password directly into Windows memory and is a really, really stupid thing to do.
And in copying it out from my Vault, I was supposed to have to enter my Master Password once again to even have access to it, but the prompt for that was turned off, so I was able to just copy it directly (yet another bug/security vulnerability).
I then tried to log into live.com (Dreamwidth and Live are the same websites I tried for my earlier version of this post) but this time the form fields on Live auto-filled just fine so I was logged in immediately.
I don't have an answer to the what's going on with Dreamwidth, nor how to get around the log-in problem without directly filling out the password field like I just did, but I'm not reporting it, because the version of Lastpass causing this issue will be considered unstable or not widely used, so would probably be relegated to low-priority for bug-fixing.
I'd actually suggest not using the "fix" version of Lastpass, because it seems to be breaking more than it's fixing (it's also breaking Dreamwidth's CSS on the log-in and log-in failure pages). On Dreamwidth, where it's literally not working at all, and on Live, where it seems to be working at least from my laptop, I'm getting the green bar along the top after my DW log-in failures and Live log-in successes saying, "Save this site?" when I already did - isn't that why I'm having a problem, after all?
On top of that, I'm starting to wonder about corporate responsibility and if Lastpass should go take a hike.
( Rant time... )