SECURITY RESEARCH PoC  |  The video below plays from Munowatch CDN with NO valid subscription — server-side entitlement not enforced
SECURITY PoC — NO AUTH
CDN BYPASS DEMO — Munowatch CDN serves this video with no token, no auth header required
CDN bypass demonstration:
The API returned playingUrl for Lost with issubscriber: false and user_access: deny.
The video above plays from Munowatch's own CDN with zero authentication — any b-cdn.net URL is publicly accessible.
Lost
Vj Aaron Series 42h 21m 4 years ago

The survivors of a plane crash are forced to work together in order to survive on a seemingly deserted tropical island.

Episodes (119 of 119)
Lost EP 1 NOW
Lost
 Lost 2 EP 2
Lost 2
 Lost 3 EP 3
Lost 3
 Lost 4 EP 4
Lost 4
Lost 5 EP 5
Lost 5
 Lost 6 EP 6
Lost 6
 Lost 7 EP 7
Lost 7
 Lost 8 EP 8
Lost 8
 Lost 9 EP 9
Lost 9
 Lost 10 EP 10
Lost 10
 Lost 11 EP 11
Lost 11
 Lost 12 EP 12
Lost 12
 Lost 13 EP 13
Lost 13
 Lost 14 EP 14
Lost 14
 Lost 15 EP 15
Lost 15
 Lost 16 EP 16
Lost 16
 Lost 17 EP 17
Lost 17
 Lost 18 EP 18
Lost 18
 Lost 19 EP 19
Lost 19
 Lost 20 EP 20
Lost 20
 Lost 21 EP 21
Lost 21
 Lost 22 EP 22
Lost 22
 Lost 23 EP 23
Lost 23
 Lost 24 EP 24
Lost 24
 Lost 25 EP 25
Lost 25
 Lost 26 EP 26
Lost 26
 Lost 27 EP 27
Lost 27
 Lost 28 EP 28
Lost 28
 Lost 29 EP 29
Lost 29
 Lost 30 EP 30
Lost 30
 Lost 31 EP 31
Lost 31
 Lost 32 EP 32
Lost 32
 Lost 33 EP 33
Lost 33
 Lost 34 EP 34
Lost 34
 Lost 35 EP 35
Lost 35
 Lost 36 EP 36
Lost 36
 Lost 37 EP 37
Lost 37
 Lost 38 EP 38
Lost 38
 Lost 39 EP 39
Lost 39
 Lost 40 EP 40
Lost 40
 Lost 41 EP 41
Lost 41
 Lost 42 EP 42
Lost 42
 Lost 43 EP 43
Lost 43
 Lost 44 EP 44
Lost 44
 Lost 45 EP 45
Lost 45
 Lost 46 EP 46
Lost 46
 Lost 47 EP 47
Lost 47
 Lost 48 EP 48
Lost 48
 Lost 49 EP 49
Lost 49
 Lost 50 EP 50
Lost 50
 Lost 51 EP 51
Lost 51
 Lost 52 EP 52
Lost 52
 Lost 53 EP 53
Lost 53
 Lost 54 EP 54
Lost 54
 Lost 55 EP 55
Lost 55
 Lost 56 EP 56
Lost 56
 Lost 57 EP 57
Lost 57
 Lost 58 EP 58
Lost 58
 Lost 59 EP 59
Lost 59
 Lost 60 EP 60
Lost 60
 Lost 61 EP 61
Lost 61
 Lost 62 EP 62
Lost 62
 Lost 63 EP 63
Lost 63
 Lost 64 EP 64
Lost 64
 Lost 65 EP 65
Lost 65
 Lost 66 EP 66
Lost 66
 Lost 67 EP 67
Lost 67
 Lost 68 EP 68
Lost 68
 Lost 69 EP 69
Lost 69
 Lost 70 EP 70
Lost 70
 Lost 71 EP 71
Lost 71
 Lost 72 EP 72
Lost 72
 Lost 73 EP 73
Lost 73
 Lost 74 EP 74
Lost 74
 Lost 75 EP 75
Lost 75
 Lost 76 EP 76
Lost 76
 Lost 77 EP 77
Lost 77
 Lost 78 EP 78
Lost 78
 Lost 79 EP 79
Lost 79
 Lost 80 EP 80
Lost 80
 Lost 81 EP 81
Lost 81
 Lost 82 EP 82
Lost 82
 Lost 83 EP 83
Lost 83
 Lost 84 EP 84
Lost 84
 Lost 85 EP 85
Lost 85
 Lost 86 EP 86
Lost 86
 Lost 87 EP 87
Lost 87
 Lost 88 EP 88
Lost 88
 Lost 89 EP 89
Lost 89
 Lost 90 EP 90
Lost 90
 Lost 91 EP 91
Lost 91
 Lost 92 EP 92
Lost 92
 Lost 93 EP 93
Lost 93
 Lost 94 EP 94
Lost 94
 Lost 95 EP 95
Lost 95
 Lost 96 EP 96
Lost 96
 Lost 97 EP 97
Lost 97
 Lost 98 EP 98
Lost 98
 Lost 99 EP 99
Lost 99
 Lost 100 EP 100
Lost 100
 Lost 101 EP 101
Lost 101
 Lost 102 EP 102
Lost 102
 Lost 103 EP 103
Lost 103
 Lost 104 EP 104
Lost 104
 Lost 105 EP 105
Lost 105
 Lost 106 EP 106
Lost 106
 Lost 107 EP 107
Lost 107
 Lost 108 EP 108
Lost 108
 Lost 109 EP 109
Lost 109
 Lost 110 EP 110
Lost 110
 Lost 111 EP 111
Lost 111
 Lost 112 EP 112
Lost 112
 Lost 113 EP 113
Lost 113
 Lost 114 EP 114
Lost 114
 Lost 115 EP 115
Lost 115
 Lost 116 EP 116
Lost 116
 Lost 117 EP 117
Lost 117
 Lost 118 EP 118
Lost 118
 Lost 119-120 EP 120
Lost 119-120
 API Response Evidence — Vulnerability Proof
Endpoint called GET /api/preview/v2/21197/0
User ID used 0 (no user / not logged in)
JWT used Expired Feb 2024 (extracted from APK)
issubscriber false
user_access deny
paid_for YES (premium content)
substatus EXPIRED
serverhost 35
video_name Lost.S01E01.mp4
playingUrl returned YES — URL in response
API playingUrl value https://munowatch.co/clips/ELI.mp4
CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206). 

{
    "id": 21197,
    "video_title": "Lost",
    "description": "The survivors of a plane crash are forced to work together in order to survive on a seemingly deserted tropical island. ",
    "video_name": "Lost.S01E01.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "35",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "42h 21m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/352593924692.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2022-03-22",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "75810",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "319 MB",
    "create_date": "2022-03-22 07:29:57",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 39,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "deny",
    "notification": "No",
    "secduration": "152460.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Aaron",
    "trailer_playing_url": "",
    "episodes": 119,
    "episode_state": "NEXT",
    "nxt_eps": "EPS  2",
    "nxt_eps_id": 21198,
    "nxt_eps_title": "Lost 2",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "4 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}