SECURITY RESEARCH PoC  |  The video below plays from Munowatch CDN with NO valid subscription — server-side entitlement not enforced
SECURITY PoC — NO AUTH
CDN BYPASS DEMO — Munowatch CDN serves this video with no token, no auth header required
CDN bypass demonstration:
The API returned playingUrl for Joy of Life 1 with issubscriber: false and user_access: deny.
The video above plays from Munowatch's own CDN with zero authentication — any b-cdn.net URL is publicly accessible.
Joy of Life 1
Vj Little T Series 42h 53m 6 years ago

Fan Xian grew up in a small town by the sea with his grandmother, following a sudden visit of a poison master, his peaceful life quickly morph into one filled with danger and hardship. After becoming rather skilled with medicine, poison and martial arts, he goes to the capital to find out more about his mysterious mother. He ends up on an adventure of marvelling the world, getting tangled in politics, finding true love, figuring out his purpose in life and secrets of his world

Episodes
Loading episodes…
 API Response Evidence — Vulnerability Proof
Endpoint called GET /api/preview/v2/10043/0
User ID used 0 (no user / not logged in)
JWT used Expired Feb 2024 (extracted from APK)
issubscriber false
user_access deny
paid_for YES (premium content)
substatus EXPIRED
serverhost 23
video_name 9df8b~23.mp4
playingUrl returned YES — URL in response
API playingUrl value https://munowatch.co/clips/ELI.mp4
CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206). 

{
    "id": 10043,
    "video_title": "Joy of Life 1",
    "description": "Fan Xian grew up in a small town by the sea with his grandmother, following a sudden visit of a poison master, his peaceful life quickly morph into one filled with danger and hardship. After becoming rather skilled with medicine, poison and martial arts, he goes to the capital to find out more about his mysterious mother. He ends up on an adventure of marvelling the world, getting tangled in politics, finding true love, figuring out his purpose in life and secrets of his world",
    "video_name": "9df8b~23.mp4",
    "filehistory": " ~ JOY OF LIFE 1_x264.mp4 ~ ",
    "openload": "0",
    "embedurl": "",
    "serverhost": "23",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "42h 53m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/102380658313.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2020-06-03",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "66838",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "278.82 MB",
    "create_date": "2020-06-11 15:59:13",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 29,
    "video_status_id": 0,
    "network_id": "154.225.225.219",
    "user_access": "deny",
    "notification": "Yes",
    "secduration": "154380.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Little T",
    "trailer_playing_url": "",
    "episodes": 46,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   2",
    "nxt_eps_id": 10044,
    "nxt_eps_title": "Joy of Life 2",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "6 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}