This page describes content that only exists in outdated versions of Wurst.
The Session Stealer allows you to temporarily steal the Minecraft account of another player. This can either be used to hack into the account of a server admin or as an alternative to alt accounts. Unlike alt accounts, however, session stealing does not allow you to change the skin or the password of the account.
A session in Minecraft remains valid until the owner of the account invalidates it or replaces it with a new session. In practice, that means either launching Minecraft or pressing the Log Out
button in the Minecraft launcher. Because of this, the Session Stealer works best against players that don't play Minecraft very often.
All you need to steal a session with the Session Stealer is a valid session token. The most common place to find these tokens are Minecraft launcher logs (not crash logs, but launcher logs). Once you got one of these logs, look for a line that says:
(Session ID is token:AWholeLotOfLettersAndNumbers:MoreRandomLettersAndNumbers)
You might have noticed that the text field in the Session Stealer says the same thing. And that's because you are supposed to paste the random letters and numbers (highlighted in the above example) into that text field. Then you press the Steal Session
button and, if the token is still valid, you're good to go.
If you get an error, then the token has either been invalidated (“This token doesn't work anymore. Try a different one.”) or you didn't correctly paste the token into the text field (“That is not a session token!”). There are some other error messages that could come up, but they are pretty rare and totally self-explanatory.
Please do not open a bug report if you get one of these errors. They are meant to indicate that you did something wrong, not that the hack is broken.
And that's all you need to steal anyone's session! Simple, right? That's because this Session Stealer is designed to be as simple and user-friendly as possible.
In order to steal the session of an admin, you need a fresh launcher log from them. Old logs will not work, they have already been invalidated. One good trick to get a fresh log from them might be to pretend that you are a developer and that you need their log to fix a bug they have. Once you have their log, use their token as explained in Usage.
Once you got the session token from their log, remember that it will only last until they start Minecraft again. So you will probably want to prevent them from doing that too soon. Just be a little creative here, you could pretend that you found a virus in the log and that starting Minecraft now would harm their computer, or whatever.
And because they probably will start Minecraft again at some point, you shouldn't let them wait until you griefed the entire server with their account. Rather use their account to /op
your own account, which should only take a few seconds and is much less suspicious.
If you can't figure out how to get premium alts, the Session Stealer might be a nice alternative for you. All you need to do is to find some Minecraft logs on the internet and to use their token as explained in Usage.
Some good places to find logs are PasteBin.com, MinecraftForum.net and the Mojang Bug Tracker, but by far the best one is Google. Just search for “session id is token:”
(with the quotes) and you'll find plenty of logs with plenty of tokens from all over the web.
You might find that most of the tokens have already been invalidated. This can be fixed quite easily by limiting the search. As you probably don't know how to do that, here are some pre-configured links:
Version | Changes |
---|---|
Wurst 2.3 | Added SessionStealer. |
Wurst 2.13 | Added “SessionStealer” entry to the Navigator GUI. |
Wurst 2.14 | Added “see also” links to the “SessionStealer” entry in Navigator. |
unknown version | Removed SessionStealer after Mojang patched it out of every Minecraft version by changing how the authentication servers work. |