In DingTalk's Bluetooth clock-in system, administrators usually set a specific clock-in range, and users can only clock in within this range. However, a possible vulnerability has been discovered recently: the actual clock-in location is not determined at the moment when the user clicks to clock in, but at some point before that. This discovery has been verified through two actual scenarios: first, users successfully clock in outside the clock-in range after leaving the office area; second, users retry and successfully clock in while leaving the clock-in machine after a failed attempt. This indicates that there may be a timing issue in DingTalk's clock-in location capture logic, allowing users to successfully clock in outside the designated area.
Analysis of the DingTalk Bluetooth Clock-in Bug#
Normal clock-in process:#
- The administrator sets a specific clock-in range.
- Users must be within this range to successfully clock in.
Identified problem:#
- Abnormal location capture logic in DingTalk clock-in: The actual clock-in location is not determined at the moment when the user clicks to clock in.
Scenario reproduction:#
-
Scenario: Leaving work
- Time: 6:30 PM, leaving work.
- Actions:
- Shut down the computer and leave the office area.
- When reaching the vicinity of the stairs, open DingTalk and a clock-in reminder popup appears, but do not clock in immediately.
- Continue walking to the vicinity of the residential area downstairs, and click on the previous clock-in reminder popup.
- Result: Clock-in successful.
- Note: The location at this time is no longer within the clock-in range.
- Control experiment: A colleague tries to manually clock in at the same location, but cannot connect to the attendance machine.
-
Attempting to clock in again:
- Actions:
- Arrive at the clock-in machine and attempt to clock in again.
- Intentionally avoid showing the face during the facial recognition stage, causing the clock-in to fail, but a clock-in failure popup appears.
- Without closing the popup, continue walking to the intersection.
- Click the "Retry" button on the popup at the intersection.
- Result: Clock-in successful.
- The location is no longer within the designated clock-in range.
- Actions:
Summary:#
- DingTalk's Bluetooth clock-in function may have a bug in the timing of location information capture, causing the actual clock-in location to be out of sync with the user's operation time, allowing users to successfully clock in outside the specified area.
This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.laogou666.com/posts/BUG/dingtalk