A malicious server admin would probably be able to just intercept and stop that. I don't know how they do group encryption, but I imagine they either have a room key (although with forward secrecy that sounds unlikely) or they do 1:M sending. In any case, it sounds that, since the server doesn't have the group chat keys, they could just check for authorization from the admin (ie a signed message verifying that they're the ones adding the user) before adding a new user to the chat.
> A malicious server admin would probably be able to just intercept and stop that
Which would stop anyone from being invited to the group
> or they do 1:M sending
That's what they do. When you join a group you generate a key that you distribute to all the other participants via a 1-on-1 encrypted session, you then use it to derive keys in a normal chaining-key thingy to encrypt messages to all other participants.
> they could just check for authorization from the admin
> Which would stop anyone from being invited to the group
No, just the malicious server adding the malicious user.
> So you mean the admin would be in on it?
I mean WhatsApp could patch this attack vector by requiring the new member to get a signed assertion from the group admin, proving to the other members that the group admin was the person who added the user.
> I mean WhatsApp could patch this attack vector by requiring the new member to get a signed assertion from the group admin, proving to the other members that the group admin was the person who added the user.
this is related to what I was talking about, except that in my scenario the admin distributes the proof
