Computer Misuse Act 1990, section 1.1. The test for the vulnerability requires running the exploit, whose only function is to secure unauthorised access to data held on the remote machine. Seems fairly clear-cut to me.
(1)A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured]F1 ;
(b)the access he intends to secure [F2, or to enable to be secured,]F2 is unauthorised; and
Lastpass is not trying to secure the web wervers with the check
