This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of
https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.
The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Yes we all know this - it has been stated a number of times before.
Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...
have to agree with kano on this one this is a serious flaw in the official software that allowed attackers to perform this.
The fact is there was no protection on for users to stop the messages being shown all be it in a somewhat official looking manner.
As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.
Just out of curiosity what was the intended use for it in Electrum?