[lucb1e]

> If someone hacks the WhatsApp server, they can obviously alter the group membership.

Of course an attacker can subscribe to the conversation if s/he owns the server, but that doesn't make it "obvious" that s/he can actually read messages' contents from that point onwards without any sort of confirmation from the chat's participants.

[tptacek]

All the chat's participants get a notice that the new member joined. Every time they've ever joined a group, that's been the behavior. They've never gotten a "yes/no" dialog for new group members (it's hard to see how that would even work in practice). I think the behavior here is in fact pretty obvious.

[lucb1e]

The confirmation would be a participant who invited them and tells the other chat participants about it cryptographically (not by user interaction). That everyone rekeys (or whatever happens in the Signal protocol to allow future messages to be read by the new participant), I would see as a flaw of too much trust on the server.

A notification in a busy group gets lost, and in the scenario of an attacker owning the server, they could easily time it to coincide with a busy period.