Hard-coding the symmetric encryption key used to store your master password isn't just a minor slip up. This is the kind of mistake that I for one wouldn't do and I'm no security expert.
At least for proprietary apps, security is about trust. Given their other slip ups in the past, along with present design choices like making certain administration tasks available only through the web interface, I wonder how people can trust LastPass.
Of course, it's better than not using a password manager at all. But one has to admit the bar for that is pretty low.
I get baffled at how such basic security mistakes are made. Either who did them doesn't care or doesn't know, of which neither is good for - at least - applications that store such sensitive information.
To be fair, unless I misunderstood, the symetric key is only used when you save your master password (so you don't have to re-type it) and use a PIN instead.
I believe LastPass app encourages you to NOT do this.
This obviously doesn't excuse the implementation (it shouldn't of gotten past CR). Just pointing out the attack vector is not as severe as it seems (at least from the issue's title).
Without a strong master password, encryption is useless. It's recommended to have a master password of at least 16 chars including digits and special characters. Otherwise a global enemy with the right resources, like the NSA, can brute force it from a distance.
My password is 24 chars in length, includes digits and special characters and isn't made of dictionary words. Typing such a password on my laptop with a normal keyboard is fine, because I touch type, but typing it on my phone every time I need it is simply not doable. Using a PIN on the other hand is easy and should be fairly secure if the app is designed to fallback to the master password after X failures, preferably with hardware support.
So in all fairness, not only did they screw up a basic feature, but this also encourages people to use weaker master passwords.
At least for proprietary apps, security is about trust. Given their other slip ups in the past, along with present design choices like making certain administration tasks available only through the web interface, I wonder how people can trust LastPass.
Of course, it's better than not using a password manager at all. But one has to admit the bar for that is pretty low.