SECURITY RESEARCH PoC  |  The video below plays from Munowatch CDN with NO valid subscription — server-side entitlement not enforced
SECURITY PoC — NO AUTH
THIS MOVIE'S CDN STREAM — No subscription, no login, no auth token required
Per-movie CDN bypass proof:
The API returned playingUrl for Breaking Bad Fortune Teller 25 with issubscriber: false, user_access: deny, and paid_for: true.
The video_name + serverhost from the API response are used to construct the CDN URL above — confirming that the CDN file for this specific movie is publicly accessible with no authentication.
Breaking Bad Fortune Teller 25
Vj Muba Series 24h 51m 4 years ago

During the Ming Dynasty, the emperor sets out for Xinjiang to advocate peace. Shortly after his absence, mysterious occurrences plague the palace and Daoist Tian Mu Tong is called to cast out demons. Together with eunuch Xiao Mo Gu and Jin Yi Wei leader Yun Xiang Rong, Mu Tong uncovers deep dark secrets and conspiracies hidden within conspiracies.

Episodes
Loading episodes…
 API Response Evidence — Vulnerability Proof
Endpoint called GET /api/preview/v2/25995/0
User ID used 0 (no user / not logged in)
JWT used Expired Feb 2024 (extracted from APK)
issubscriber false
user_access
paid_for YES (premium content)
substatus EXPIRED
serverhost 38
video_name Breaking Bad Fortune Teller Episode 25.mp4
playingUrl returned YES — URL in response
API playingUrl value https://munowatch.co/clips/ELI.mp4
CDN stream https://munotech2.b-cdn.net/rus1/553/Breaking%20Bad%20Fortune%20Teller%20Episode%2025.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206). 

{
    "id": 25995,
    "video_title": "Breaking Bad Fortune Teller 25",
    "description": " During the Ming Dynasty, the emperor sets out for Xinjiang to advocate peace. Shortly after his absence, mysterious occurrences plague the palace and Daoist Tian Mu Tong is called to cast out demons. Together with eunuch Xiao Mo Gu and Jin Yi Wei leader Yun Xiang Rong, Mu Tong uncovers deep dark secrets and conspiracies hidden within conspiracies.",
    "video_name": "Breaking Bad Fortune Teller Episode 25.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "38",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "24h 51m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/194852565609.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2022-08-29",
    "age_id": "PG",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "46592",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "206.6 MB",
    "create_date": "2022-08-29 13:40:38",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 31,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "",
    "notification": "",
    "secduration": "89460.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Muba",
    "trailer_playing_url": "",
    "episodes": 40,
    "episode_state": "NEXT",
    "nxt_eps": "EPS  26",
    "nxt_eps_id": 25997,
    "nxt_eps_title": "Breaking Bad Fortune Teller 26",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "4 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}