X (Formerly Twitter): Fabric.io - an app admin can delete team members from other user apps

It is possible for an app admin to delete all the team members from other apps for which he doesn't have access. To reproduce the attack, create two apps and add different user roles as below, VictimApp - Aliceadmin, Alicemember HackerApp - Hackeradmin, Hackermember Before proceeding with the...