I just came across something that might be known behavior, but I rather share it anyway.
Short: When using shared credential from LastPass vault (even without acceess to the actual password), when lastpass passes the password to fill the site details, the browser password manager is able to read and store the password. Making it available to the user.
Replication: I used Chrome in this case, but it happens on any other browser.
1. someone shared a set of credentials with me. I am unable to access the credentials password, as this has been revoked by the credential owner.
2. I go to the website and use the LastPass chrome browser extension to populate the credentials
3. When enabled, my browser asked if I want to keep the credentials on its own password management module.
4. At this point I dont even have to save the credentials, I can just loop at the password on the browser password management functionality.
Even if the browser is an external element to LastPass. Lastpass is the identity holder of the password. I would expect that some level of security is used to pass the password to the end point.
It is possible that we could certainly administer the level of permission at user level at their browser (to avoid using some of the functionalities), yet we would be masking a symptom, as lastpass should contemplate security in these scenarios, where password content could be accessed from different resources, (managed/unmanaged).