banner
laogou

laogou666

HomeArchives

[Check-in in Any Region] Analysis of the Timing Vulnerability in DingTalk Bluetooth Check-in

#钉钉蓝牙打卡#钉钉打卡BUG#钉钉远程打卡284
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
In the Bluetooth clock-in system of DingTalk, administrators usually set a specific clock-in range, and users can only clock in within this range. However, a possible vulnerability has been discovered recently: the actual clock-in location is not determined at the moment the user clicks to clock in, but at a previous moment. This discovery has been verified through two scenarios: firstly, users can successfully clock in outside of the clock-in range after leaving the office area; secondly, users can retry and successfully clock in while leaving the clock-in machine after a failed attempt. This indicates that the clock-in location capture logic of DingTalk may have a timing issue, allowing users to successfully clock in outside of the designated area.

image

In the Bluetooth clock-in system of DingTalk, administrators usually set a specific clock-in range, and users can only clock in within this range. However, a possible vulnerability has been discovered recently: the actual clock-in location is not determined at the moment when the user clicks to clock in, but at some point before that. This discovery has been verified through two actual scenarios: first, users successfully clock in outside the clock-in range after leaving the office area; second, users retry and successfully clock in while leaving the clock-in machine after a failed attempt. This indicates that there may be a timing issue in the clock-in location capture logic of DingTalk, allowing users to successfully clock in outside the designated area.

Analysis of the Bluetooth Clock-in Bug in DingTalk#

Normal clock-in process:#

  • Administrators set a specific clock-in range.
  • Users must be within this range to successfully clock in.

Identified issue:#

  • Abnormal location capture logic in DingTalk clock-in: The actual clock-in location is not determined at the moment when the user clicks to clock in.

Scenario reproduction:#

  1. Scenario: Leaving work

    • Time: 6:30 PM, leaving work.
    • Actions:
      • Shut down the computer and leave the office area.
      • Open DingTalk when near the staircase, a clock-in reminder popup appears, but not immediately clock in.
      • Continue walking to the vicinity of the residential area downstairs, and then click on the previous clock-in reminder popup.
    • Result: Successful clock-in.
      • Note: The location at this time is already outside the clock-in range.
      • Control experiment: A colleague tries to manually clock in at the same location, but cannot connect to the attendance machine.

  2. Retry clock-in:

    • Actions:
      • Come to the clock-in machine and try to clock in again.
      • Intentionally not showing the face during the face recognition stage, resulting in a failed clock-in but generating a failed clock-in popup.
      • Without closing the popup, continue walking to the intersection.
      • Click the "Retry" button on the popup at the intersection.
    • Result: Successful clock-in.
      • The location is no longer within the designated clock-in range.

Summary:#

  • The Bluetooth clock-in function of DingTalk may have a bug in the timing of location information capture, causing the actual clock-in location to be out of sync with the user's operation time, allowing users to successfully clock in outside the specified area.

This article is synchronized and updated to xLog by Mix Space.
The original link is https://www.laogou666.com/posts/BUG/dingtalk

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.