Sign In
Username:
Password:

---

Exploit steps

1. Log into the Firefox https://lastpass.com website client (not browser extension).
2. Add a new site and set the URL to this page. Alternatively, the attacker can share a malicious site with you.
3. Click launch on your newly added site.

---

Exploit
Leaked CSRF token: (not loaded yet)

(An actual malicious page would do this without asking.)