[pbininda]

If I read this article correctly, the headline should actually be: How I made LastPass give me all MY passwords

Update: after a few answers to my badly thought through comment, I now feel enlightened. The attack scenario is a malicious web site which can gobble up my passwords. Thanks

[viraptor]

This is just a PoC. Now imagine that the author instead:

1. Writes up that post.

2. Inserts an iframe in the post, which enumerates known sites. (hidden out of view with css tricks)

3. Instead of alerting on screen, sends the results back to their server.

4. Submits to HN.

[maehwasu]

It's also REALLY easy to deliver that malicious site through web ads, especially background pops.

[martin-adams]

My interpretation is. How I could create a web page that give ME all the commonly used site's passwords for ANY last pass visitor who has autofill enabled.

So no, I don't think it will only give you your own passwords.

[zaxomi]

If you where using LastPass, and visited any page controlled by an attacker on any domain, they could get your passwords to all sites that they tested for, for example twitter, gmail etc.