Fabric.io: Ex-admin of an organization can delete team members

When an admin is deleted from an organization, his access rights are not removed properly. This allows an ex-admin to delete team members from the organization. Before proceeding with attack, 1. Create an organization with two accounts. Lets say, VictimOrg - Victimadmin, Victimmember 2. Invite Hackeradmin to VictimOrg and change his role to admin. At this point Hackeradmin can login and grab VictimOrg & Victimmember ids. VictimOrg id:54af7e07b8568e8c6a0001e Victimmember id:552787195127ae16b8000987 3. Delete Hackeradmin from VictimOrg. Now, Hakeradmin is not a member of VictimOrg anymore. Ideally, he does not have rights to access/make changes to VictimOrg. However, he can still delete team members from the VictimOrg. Steps listed below shows that Hackeradmin can delete Victimmember from VictimOrg: 1. Log into fabric.io as Hackeradmin. 2. Navigate to settings->organizations->HackerOrg->Team member link. 3. Click on x symbol corresponding to Hackermember to remove him from HackerOrg. Intercept this request using burp proxy. Proxy shows a similar request as below, DELETE /api/v3/accounts/54c1e78b9ea696b3cb00026a/organizations/54aa36e3937ae35559011d17/leave HTTP/1.1 Host: fabric.io 4. In the intercepted request replace the account id with Victimmember id and org id with VictimOrg id. Modified request is, DELETE /api/v3/accounts/552787195127ae16b8000987/organizations/54af7e07b8568e8c6a0001e/leave HTTP/1.1 Host: fabric.io 5. Send the modified request to the server and it removes Victimmember from VictimOrg. 6. To confirm, login as Victimadmin and look at the VictimOrg team members.