Twitter: Fabric.io: Ex-admin of an organization can delete team members

2015-04-10T09:53:25
ID H1:55670
Type hackerone
Reporter satishb3
Modified 2015-11-01T15:46:20

Description

When an admin is deleted from an organization, his access rights are not removed properly. This allows an ex-admin to delete team members from the organization.

Before proceeding with attack,

  1. Create an organization with two accounts. Lets say, VictimOrg - Victimadmin, Victimmember

  2. Invite Hackeradmin to VictimOrg and change his role to admin. At this point Hackeradmin can login and grab VictimOrg & Victimmember ids.

    VictimOrg id:54af7e07b8568e8c6a0001e Victimmember id:552787195127ae16b8000987

  3. Delete Hackeradmin from VictimOrg. Now, Hakeradmin is not a member of VictimOrg anymore. Ideally, he does not have rights to access/make changes to VictimOrg. However, he can still delete team members from the VictimOrg.

Steps listed below shows that Hackeradmin can delete Victimmember from VictimOrg:

  1. Log into fabric.io as Hackeradmin.
  2. Navigate to settings->organizations->HackerOrg->Team member link.
  3. Click on x symbol corresponding to Hackermember to remove him from HackerOrg. Intercept this request using burp proxy.

    Proxy shows a similar request as below,

    DELETE /api/v3/accounts/54c1e78b9ea696b3cb00026a/organizations/54aa36e3937ae35559011d17/leave HTTP/1.1 Host: fabric.io

  4. In the intercepted request replace the account id with Victimmember id and org id with VictimOrg id.

    Modified request is,

    DELETE /api/v3/accounts/552787195127ae16b8000987/organizations/54af7e07b8568e8c6a0001e/leave HTTP/1.1 Host: fabric.io

  5. Send the modified request to the server and it removes Victimmember from VictimOrg.

  6. To confirm, login as Victimadmin and look at the VictimOrg team members.