Applying an Armor Ornament to Itself Removes the Armor
- While developing Fashion Loadouts, we discovered a bug in the Destiny API “InsertSocketPlugFree” endpoint that will remove equipped armor items from a player's inventory.
- An equipped armor item is removed when a player tries to apply a universal (i.e., “transmog”) ornament to the same item it was created from, for example, applying “Pathfinder’s Visor” as an ornament to “Pathfinder’s Visor.”
- We believe the scope of this bug is minimal as it was only active for 16 days, it only affects equipped armor, and we have only seen evidence of this bug once in the wild.
- On December 30th, 2021, the DIM team contacted Bungie to disclose the bug in the Destiny API. We immediately updated DIM to protect users from this bug. Bungie applied a hotfix to patch the API within 4 hours of disclosure. Their hotfix resolved the bug for all consumers of the Destiny API.
On December 22nd, Andrew Cross tweeted that swapping ornaments deleted an item. Our team engaged and found no steps that could replicate the issue.
On December 30th, robojumper, a contributor to DIM, rediscovered the same problem Andrew experienced while testing our new Fashion Loadouts and documented the steps to reproduce the bug.
Before we get into the method, let us define two terms. An ‘item hash’ is a generic reference to an item in Destiny that describes an item, e.g., A Pathfinder’s Visor. An ‘item instance’ is a specific reference to an item in Destiny owned by a player, e.g., Your Pathfinder’s Visor.
Calling the Destiny API “InsertSocketPlugFree” endpoint requires a reference to an item instance (itemId), the character or vault (characterId), and a plug. A request to the API endpoint using an equipped item instance and an ornament plug with a plugItemHash that matches the item instance’s item hash will express a bug in the API that removes the item instance from the player’s inventory.
POST https://www.bungie.net/Platform/Destiny2/Actions/Items/InsertSocketPlugFree/
{
"itemId": "6917529227478566691",
"characterId": "23058434092624423352",
"membershipType": 1,
"plug": {
"socketIndex": 10,
"socketArrayType": 0,
"plugItemHash": 702981643
}
}
Note that this scenario only applies to the Destiny API. A player cannot select the same armor item as an ornament in-game.
We immediately patched DIM to prevent users from applying an ornament that matched the armor item. We concurrently reached out to Bungie to explain the bug and provide data on affected characters. Bungie patched the Destiny API four hours after disclosure and prevented the bug from affecting all API clients.
All clients of the Destiny API using this endpoint, including the Destiny Companion App and DIM, had exposure to this bug.
The bug appeared on December 14th, 2021, when Bungie updated the “InsertSocketPlugFree” endpoint to support transmog armor ornaments.
On December 30th, 2021, Bungie patched the bug.
We have said for nearly seven years that you could not lose items using the Destiny API. This bug is the first time in our experience a player has lost an item, and we felt it was important to document and share this with the Destiny community. This event does not remove our confidence in the integrity of the Destiny API to securely and safely manage your items.
We thank the team at Bungie for their immediate and responsive action upon notification of this bug.
We thank the team of volunteers who work together to sustain DIM.