When an admin is deleted from an organization, his access rights are not removed properly. This allows an ex-admin to delete team members from the organization.
Before proceeding with attack,
Create an organization with two accounts. Lets say, VictimOrg - Victimadmin, Victimmember
Invite Hackeradmin to VictimOrg and change his role to admin. At this point Hackeradmin can login and grab VictimOrg & Victimmember ids.
VictimOrg id:54af7e07b8568e8c6a0001e Victimmember id:552787195127ae16b8000987
Delete Hackeradmin from VictimOrg. Now, Hakeradmin is not a member of VictimOrg anymore. Ideally, he does not have rights to access/make changes to VictimOrg. However, he can still delete team members from the VictimOrg.
Steps listed below shows that Hackeradmin can delete Victimmember from VictimOrg:
Click on x symbol corresponding to Hackermember to remove him from HackerOrg. Intercept this request using burp proxy.
Proxy shows a similar request as below,
DELETE /api/v3/accounts/54c1e78b9ea696b3cb00026a/organizations/54aa36e3937ae35559011d17/leave HTTP/1.1 Host: fabric.io
In the intercepted request replace the account id with Victimmember id and org id with VictimOrg id.
Modified request is,
DELETE /api/v3/accounts/552787195127ae16b8000987/organizations/54af7e07b8568e8c6a0001e/leave HTTP/1.1 Host: fabric.io
Send the modified request to the server and it removes Victimmember from VictimOrg.