It should not be possible to add yourself to a group without invitation

[Meteor0id]

Although this is security related, it has already been publicized and is public knowledge.

This article: https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/
explains an issue in Signal where anyone could in theory invite themselves to a group. It does however require the attacker to know the ID of the group, which is only know by current or former group members.

At first it might not seem severe:

• If an attacker would add themselves to the group, everyone in the group would see him join the group, thus he can be kicked out before any sensitive information is shared to the group.
• A new group can be created to avoid this attacker from inviting himself again.
• Messages send before the attacker joined the group will not be send to the attacker; in other words, he won't see the group conversation history.

However, this attack does have a use case in practice:
Say a group of protestors has a group chat in which they coordinate their upcoming protests. they kicked someone out of the group for some reason, but kept using the group, and keep adding new trusted people to the group. At any point in the future can the former group member leak his logfile to the oppressive regime. The oppressive regime can find the group ID, and invite themselves to the groupchat. Although they would get kicked out again, and see none of the messages, they did get a full list of current members of that group.

[awaitlink]

Is what you mean by

kicked someone out of the group

"somehow forced someone to leave the group"?

Without mentioning that, it may appear that you can kick people out of the group in Signal, which currently isn't possible.

[Meteor0id]

Right, good point, I forgot removing someone from the group isn't possible yet in Signal. Someone can not have been kicked from the group in the past, but he can have left voluntary. The issue is taht the remaining group members are not aware there he can rejoin at his own discretion, or even allow other to join the group at their own discretion. After someone has agreed to leave the group or left the group for his own reason, you can't rely on the idea that he is outside of your secure group.

This also means that after the attacker entered the group, you'll be forced to immateriality warn group members to not use the group anymore and request them to join a new one. All current members will still have been identified by the attacker.

---

I haven't looked at the code yet to see if group ID's are in the logs as well. If they are that would mean that you can use peoples logs to join their groups, and see who they have contact with. Imagine I would find a debug log of someone containing a group ID, I join the group and find out who he is chatting with. Not fun, major breach of confidentiality and privacy.

Edit:
A large portion of the group id is scrubbed from the log, so sharing a log does not pose this risk.
https://github.com/signalapp/Signal-Android/blob/110a40592bc539bb739db97d48297bddcdac274c/test/unitTest/java/org/thoughtcrime/securesms/logsubmit/util/ScrubberTest.java#L64-L65

Only current or previous group members with intent to share or mishandle the group-id could do so.