[jamie_ca]

Not a dev on either product, but I use 1Password for my personal accounts, and a corporate LastPass for my work accounts. I do not believe that 1Password is as immediately vulnerable as LastPass.

LastPass (on Chrome) will auto-fill information on a detected site, which a malicious site can read immediately.

1Password (on Chromium nightly) requires me to hit the 1Password Mini button and select a site/account to log in with. If 1Password had a similar vulnerability, a malicious site as described would merely wind up showing me accounts for the wrong site in the dropdown. Clicking one could wind up submitting/leaking my credentials to the attacker, though.

[notJim]

1Password doesn't auto-fill, but you can press [Ctrl|CMD] + \ to fill in the password automatically based on the detected domain.

[unfletch]

It does have an "open and fill" feature which autofills, but only immediately after opening the site by URL first. (So the attacker's URL would have to be saved in 1Password along side your credentials.)

This is actually how I use 1Password most often. Global hotkey of cmd+opt+\, type a site name, hit enter: 1Password opens the site and logs in.