If you broadcast an invite link to your private DC group, anyone can later exploit further vulnerabilities:
- [undisclosed security issue about overtaking groups of others]
- adding a huge number of members
- adding a huge number of spam or bomb messages to the group either directly or through a constant stream of new members
- directly sending spam messages to each member (if you share a group with someone, you are free to message them)
- adding impersonated members to the group, perhaps even after puppetting the removal of the original one and explaining that they “migrated for a bigger quota”
- cloning the group in a way that every member would be MITM to each other, but would superficially resemble the same group with the same set of members
- creating an infinite stream of new abusive groups and adding the members from the original group to them (if you share a group with someone, you are free to add them to any group)
- fingerprint and track the members via P2P calls and webxdc
- send in new bait webxdc or infected “new” versions of existing, familiar ones (users don’t check the hash, let alone the source before clicking anyway)
- abuse the election and impeachment process by a Sybil-attacks
- target those few designated moderators in the group one wants to attack with a steady trickle of DDoS (bombing) so nobody will be able to remove abuse sent to the groups they moderate or even initiate an impeachment takeover with cloning during this time. This actually happens more often on other platforms than you would think.
- without a single coordinating “owner” designated, the list of moderators can be made to drift/desync/fork
- track the account generating the invitation via already published securejoin vulnerabilities using silent pings