The way I use Lastpass with Chrome, I often open and browse my vault items, including the passwords. I just noticed with horror that I have several other extensions enabled that have permission to "Access all your data on all websites." Does this mean these other extensions "see" whatever I see in my vault, and that they can learn logins and passwords I've saved? If not, I'd love to understand why not, you know, just so I can sleep at night.
Google-chrome – What happens when I browse items in the Lastpass vault on Chrome while running other extensions that can “Access all your data on all websites”
google-chrome-extensionslastpassSecurity
Best Answer
The only way for a Chrome extension to gain access to the HTML code inside a tab, or in your case your password, is to inject a content script in the form of a javascript file.
I've created a quick Chrome extension to try this out myself. Luckily, it is not possible to inject content scripts into other chrome extension tabs - only in tabs that match
http://*/*andhttps://*/*. It's therefore impossible for a Chrome extension to be able to get your passwords from your LastPass vault.However, this doesn't prevent extensions with the "“Access all your data on all websites" permission to just simply get your password when you log in on any website, including your online banking account for example.
Only install extensions from sources you trust. Check the reviews when downloading an extension from the Chrome web store. It's likely that someone will notice a malicious extension quickly.