[domfletcher]

From my reading of the article it seems like you had to be admin of the group in question because the exploit seems to take advantage of a bug with inviting users to that group. I don't think the vector you describe would work.

[chaosite]

OK, there are 2 groups here: Group A, which you're using as a list of users that are interested in a subject. Group B is used to perform the bug, and doesn't have to be an active group at all---You could have just created it for the purpose of performing the exploit.

[domfletcher]

Ahh my mistake. I didn't realise that you could just retrieve a full list of users for a group (I just tried it and you can) I suspect this API may be fairly closely watched however.