The instructions on PFP website for how to do various things, they often begin with the following steps:
> Click PfP icon on any website
> Enter your master password
Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?
Pfp puts the icon in the browser bar, to counter such action. So the pop-up can only be opened this way and the pop up is in a different context than the website itself.
Yes the pop-up could be faked, but not the button.
Actually Tavis Ormandy found a lot of security breaches in password managers that loaded GUI elements into the website. Not only that you can fake it, but also they are susceptible to clickjacking.
> Click PfP icon on any website
> Enter your master password
Can't a website just fake a PFP icon to induce you to reveal your master password, and now the website owner has access to all of your generated passwords? Isn't this exactly the type of attack that caused taviso to write OP?