Watch — Ashoka 111B

SECURITY PoC — NO AUTH

This movie's CDN stream is playing without login or subscription

Up next

Per-movie CDN bypass proof The API returned playingUrl for Ashoka 111B with issubscriber: false, user_access: deny, and paid_for: true. The video_name + serverhost from the API response are used to construct the CDN URL above, confirming that the file for this specific movie is publicly accessible with no authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/63873/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 48

video_name ASHOKA EPISODE (111) B.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN stream https://lunoluno.b-cdn.net/timo28/tyu/ASHOKA%20EPISODE%20%28111%29%20B.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 63873,
    "video_title": "Ashoka 111B",
    "description": "The serial is about Indian Emperor, Ashoka, grandson of Chandragupta Maurya. The story starts with young Ashoka (Siddharth Nigam) who is getting guidance from Chanakya(Manoj Joshi) .",
    "video_name": "ASHOKA EPISODE (111) B.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "48",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "19h 18m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/cBPYXBqagL5022.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2026-05-15",
    "age_id": "18 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "29173",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "62.24 MB",
    "create_date": "2026-05-15 14:07:33",
    "schedule_date": "15.05.2026 10:57:58 AM",
    "user_id": 1118356,
    "vj_id": 25,
    "video_status_id": 0,
    "network_id": "45.221.10.6",
    "user_access": "deny",
    "notification": "",
    "secduration": "69480.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Dan De",
    "trailer_playing_url": "",
    "episodes": 145,
    "episode_state": "NEXT",
    "nxt_eps": "EPS  111",
    "nxt_eps_id": 63874,
    "nxt_eps_title": "Ashoka 111C",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "3 weeks ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}