https://www.seancassidy.me/lostpass.html
tl;dr - An attacker can easily prompt a fake, pixel-perfect alert in Chrome, prompting you to sign in on a fake login page. Two-factor authentication doesn't help.
Thanks for the heads up but it has been patched.
It even says so in the article you linked: I informed them in November, and they acknowledged the bug in December.