Please correct me if I am mistaken, but couldn't this have been implemented into an iframe that when ran could send the passwords to another remote server?
If so, I am a little taken back by LastPass only offering $1,000 to the researcher that found and reported it for fixing. He or she could have taken a different path and resulted in this being used in some complex targeted attack against tech corporations via short-url redirect interstitial pages, or an ad network's javascript, etc. Given the potential damage, I'd say there is a missing zero or two on that reward amount, in my opinion.
At the time I submitted this, they didn't even have a bug bounty. Considering that, I think $1,000 is great :)
Have you got a mechanism you could post here for them to do so?