> Either the 3 of us had the same malware/Chrome extension
Is stealing the master password this way possible in practice? As far as I know, Chrome extensions cannot inject e.g. JavaScript into tabs and toolbar popups that are owned by Chrome extensions. Random pages and extensions are able to send string/JSON messages to an extension but message sources usually have to be on an allow list + JavaScript `eval` should be disabled in the Chrome extension context.
I sometimes didn't use the LastPass extension, and simply logged in by going to lastpass.com and filling out the login form there. That form could have been compromised by an extension.
Is stealing the master password this way possible in practice? As far as I know, Chrome extensions cannot inject e.g. JavaScript into tabs and toolbar popups that are owned by Chrome extensions. Random pages and extensions are able to send string/JSON messages to an extension but message sources usually have to be on an allow list + JavaScript `eval` should be disabled in the Chrome extension context.