I'm looking at LastPass 4.1.20a on Windows, and can see some problems with the
design. It looks like the addon works by injecting elements and event handlers
into the page.
<input> boxes are modified with some css, and a click event handler is added
that instructs the addon to create a privileged iframe. A page can click the
the right x:y coordinates. Normally a page would not be permitted to navigate
to a resource:// url, but this just asks the add-on to do it.