banner
laogou

laogou666

HomeArchives

[Check-in in Any Region] Analysis of the Timing Vulnerability in DingTalk Bluetooth Check-in

#钉钉蓝牙打卡#钉钉打卡BUG#钉钉远程打卡55
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
In the Bluetooth clock-in system of DingTalk, administrators usually set a specific clock-in range and users can only clock in within this range. However, a potential vulnerability has been discovered recently: the actual clock-in location is not determined at the moment when the user clicks to clock in, but at some previous moment. This discovery has been verified through two actual scenarios: one is that users can successfully clock in outside the clock-in range after leaving the office area, and the other is that users can retry and successfully clock in while leaving the clock-in machine after a failed attempt. This indicates that the clock-in location capturing logic of DingTalk may have a timing issue, allowing users to successfully clock in outside the designated area.

image

In DingTalk's Bluetooth clock-in system, administrators usually set a specific clock-in range, and users can only clock in within this range. However, a possible vulnerability has been discovered recently: the actual clock-in location is not determined at the moment when the user clicks to clock in, but at some point before that. This discovery has been verified through two actual scenarios: first, users successfully clock in outside the clock-in range after leaving the office area; second, users retry and successfully clock in while leaving the clock-in machine after a failed attempt. This indicates that there may be a timing issue in DingTalk's clock-in location capture logic, allowing users to successfully clock in outside the designated area.

Analysis of the DingTalk Bluetooth Clock-in Bug#

Normal clock-in process:#

  • The administrator sets a specific clock-in range.
  • Users must be within this range to successfully clock in.

Identified problem:#

  • Abnormal location capture logic in DingTalk clock-in: The actual clock-in location is not determined at the moment when the user clicks to clock in.

Scenario reproduction:#

  1. Scenario: Leaving work

    • Time: 6:30 PM, leaving work.
    • Actions:
      • Shut down the computer and leave the office area.
      • When reaching the vicinity of the stairs, open DingTalk and a clock-in reminder popup appears, but do not clock in immediately.
      • Continue walking to the vicinity of the residential area downstairs, and click on the previous clock-in reminder popup.
    • Result: Clock-in successful.
      • Note: The location at this time is no longer within the clock-in range.
      • Control experiment: A colleague tries to manually clock in at the same location, but cannot connect to the attendance machine.

  2. Attempting to clock in again:

    • Actions:
      • Arrive at the clock-in machine and attempt to clock in again.
      • Intentionally avoid showing the face during the facial recognition stage, causing the clock-in to fail, but a clock-in failure popup appears.
      • Without closing the popup, continue walking to the intersection.
      • Click the "Retry" button on the popup at the intersection.
    • Result: Clock-in successful.
      • The location is no longer within the designated clock-in range.

Summary:#

  • DingTalk's Bluetooth clock-in function may have a bug in the timing of location information capture, causing the actual clock-in location to be out of sync with the user's operation time, allowing users to successfully clock in outside the specified area.

This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.laogou666.com/posts/BUG/dingtalk

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.