Sean Cassidy shows how to achieve a briliant phishing attack on Lastpass by combining multiple security holes.
This attack is powerfull because the author made a clear roadmap which checks if LastPass is installed, then logging out the user using a known vulnerability in the browser. The author tricks the user to login on the fake site and finally verifies the credentals using the public API.
This article also shows how XSS is used in practice.0
The source code can be found on Github