Because mods have decided to sort this thread by "controversial" I'm replying to this post, as it shows at the top.

From u/VFR800

More detailed ELI5

The allegations were debunked quite logically for the average layperson. Their attempt in creating a vulnerability is not possible, because the DCI group draws a situation where the victim is:

(a) BOTH naive enough to follow obviously malicious instructions from an unknown attacker AND capable enough of coding IOTA transactions by hand in a code editor, OR

(b) Naive enough to enter their seed into a malicious piece of software provided by the attacker, at which point the attack as originally described no longer exists because the attacker now has the seed directly (and access to funds on ALL addresses).

When confronted about the practicality of the attack, rather than address these issues, DCI misled the public into believing the IOTA network had a vulnerability.

More detail:

Here are the steps require in scenarios A and B

1. Attacker asks victim: "May I please have an unused address to send you money?" or "Would you please send me a transaction that uses an address generated from your seed?"

2. Attacker generates a new bundle (transaction), and sends it to the victim

Scenario A

1. Victim opens up their code editor, downloads the IOTA libraries, enters their seed and the transaction information from the attacker, signs the transaction IN CODE, and sends the signed info back to the attacker.

Scenario B

1. Attacker also sends the victim or convinces him to download "IOTA Transaction Booster.exe", which prompts the user to enter their seed (ie phishing attack), at which point the rest of the attack is pointless as the seed has already been compromised. And funds from ALL addresses on the seed are compromised.