Security Rated 3 out of 5 stars

Let's suppose the current owners of LastPass sell their business.

What can prevent the new owner to modify the java script that handles the encrypted passwords, so that the modified java scripts sends the password via SSL to the new owner, as plain not-encrypted text?

In other words, even if the passwords are and remain on my computer, LastPass seems to have full control on the javascript/Extension that has the power to open the encrypted passwords. It seems child's play to modify this javascript/Extension code to send the non-encrypted passwords anywhere on the internet. Or not?

Is the java script/extension code at least open source for public inspection?

This review is for a previous version of the add-on (1.51.2). 

This is not a big threat

If LastPass was sold, the company that bought LastPass wouldn't destroy the value of it by doing something like this. They'd have to release an update for this to happen as well, which would be closely watched.

You can watch any SSL request and see the data that's sent across using Tamper Data for Firefox or Fiddler2 for IE -- we advertise this stuff so people can make informed choices and verify for themselves what LastPass is doing:

Let's compare using the built in Firefox password manager to using LastPass -- in both cases you have to worry that the company making the product doesn't go rogue, fine. In both cases you could look at the source code to see but an exceptionally low number of people actually would.

Where they start to separate is in Firefox's case you have to also worry about every other program you run on your computer, knowingly or not: spyware, malware that you accidentally run can instantly grab your passwords (LastPass' windows installer shows this threat). Trojans like Torpig collected 38% of their data directly from the built in password managers.