The flow of adding new members to a WhatsApp group message is:
A group member sends an unsigned message to the WhatsApp server that designates which users are group members, for instance, Alice, Bob, and Charlie The server informs all existing group members that Alice, Bob, and Charlie have been added The existing members have the option of deciding whether to accept messages from Alice, Bob, and Charlie, and whether messages exchanged with them should be encrypted
With no cryptographic signatures verifying an existing member wants to add a new member, additions can be made by anyone with the ability to control the server or messages that
→ Continue reading at Ars Technica