The API returned
playingUrl for The Emperor: Owner of the Mask 1
with issubscriber: false and user_access: deny.The video above plays from Munowatch's own CDN with zero authentication — any b-cdn.net URL is publicly accessible.
The story of a crown prince named Lee Sun who fights the Pyeonsuhwe society that holds absolute power over the kingdom and also controls the water supply by privatizing it. The drama involves romance, action and court politics as the Crown prince, Lee Sun fights heroically on behalf of the people and Han Ga Eun finds herself falling in love with him instead of avenging the execution of her father at his hands. In “The Emperor: Owner of the Mask,” there is palace intrigue revolving around the true power behind the throne, and a plot twist when the prince switches identities with a commoner. But the overall theme of the show is love, which underlies the romance between a prince and his girl as well as the compassion for the country and people.
API Response Evidence — Vulnerability Proof
Finding: The server sets user_access=deny and
issubscriber=false but still returns playingUrl in the
same response. Subscription is enforced client-side only — any caller with
the expired APK JWT can obtain stream URLs without a subscription.
Munowatch CDN (b-cdn.net) serves content with no auth required
(direct HTTP Range requests succeed with HTTP 206).
{
"id": 15437,
"video_title": "The Emperor: Owner of the Mask 1",
"description": " The story of a crown prince named Lee Sun who fights the Pyeonsuhwe society that holds absolute power over the kingdom and also controls the water supply by privatizing it. The drama involves romance, action and court politics as the Crown prince, Lee Sun fights heroically on behalf of the people and Han Ga Eun finds herself falling in love with him instead of avenging the execution of her father at his hands. In \u201cThe Emperor: Owner of the Mask,\u201d there is palace intrigue revolving around the true power behind the throne, and a plot twist when the prince switches identities with a commoner. But the overall theme of the show is love, which underlies the romance between a prince and his girl as well as the compassion for the country and people.",
"video_name": "empror ruler master of the mask 1.mp4",
"filehistory": "",
"openload": "0",
"embedurl": "",
"serverhost": "26",
"allow_openload": "0",
"full_video_name": "",
"duration": "33h 52m",
"thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/865085759945.jpg",
"tfilehistory": "",
"category_id": 5,
"language_id": 1,
"recording_date": "2021-05-17",
"age_id": "13 +",
"location": 1,
"tab_category_id": 5,
"series_code": "16187",
"access": "1",
"paid_for": "1",
"new_movie": "1",
"priority": "No",
"size": "219.49 MB",
"create_date": "2021-05-17 12:04:02",
"schedule_date": null,
"user_id": 1118356,
"vj_id": 24,
"video_status_id": 0,
"network_id": "45.221.8.174",
"user_access": "deny",
"notification": "No",
"secduration": "121920.000000",
"issubscriber": false,
"genre": "Series",
"vjname": "Vj Hd",
"trailer_playing_url": "",
"episodes": 40,
"episode_state": "NEXT",
"nxt_eps": "EPS 2",
"nxt_eps_id": 15438,
"nxt_eps_title": "The Emperor: Owner of the Mask 2",
"nxt_ldur": 0,
"nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
"playingUrl": "https://munowatch.co/clips/ELI.mp4",
"ldur": 0,
"session_id": "cb99afb5b31411a57538a97393de0e2e",
"device": "web",
"lang_name": "English to Luganda",
"vjrelease": "5 years ago",
"mstatus": true,
"kstatus": "",
"substatus": "EXPIRED"
}