Watch — For the Holy Guiguzi 18

Per-movie CDN bypass proof The API returned playingUrl for For the Holy Guiguzi 18 with issubscriber: false, user_access: deny, and paid_for: true. The video_name + serverhost from the API response are used to construct the CDN URL above, confirming that the file for this specific movie is publicly accessible with no authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/30343/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 38

video_name HOLY GUIGUZI 18.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN stream https://munotech2.b-cdn.net/rus1/553/HOLY%20GUIGUZI%2018.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 30343,
    "video_title": "For the Holy Guiguzi 18",
    "description": " Set during the Warring States Period, the story follows an extraordinary genius whose identity is shrouded in mystery. Like a master in chess, Wang Chan moves the pieces at play in tumultuous times to quell dissidence and help his nation grow in strength as he eventually becomes the revered Gui Gu Zi.\r\nIn 390 BC,  the Crown Prince of Wei was able to crush a coup with the help of Wang Cuo. As a result, Wei Huan is exiled and Wu Qi flees to Chu. Just as Wang Cuo celebrates his victory, Wu Qi returns to take revenge and covet Sun Tzu's The Art of War for himself. He surrounds the manor with five hundred of his men and kills everyone in sight. Madame Wang manages to give birth to her son Wang Chan who eventually grows up to become a skilled political strategist.",
    "video_name": "HOLY GUIGUZI 18.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "38",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "46h 01m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/5ZYbOMqi6e2743.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2022-11-12",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "22374",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "382.26 MB",
    "create_date": "2022-11-17 12:08:10",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 5,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "deny",
    "notification": "",
    "secduration": "165660.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Shao Khan",
    "trailer_playing_url": "",
    "episodes": 52,
    "episode_state": "NEXT",
    "nxt_eps": "EPS  19",
    "nxt_eps_id": 30345,
    "nxt_eps_title": "For the Holy Guiguzi 19",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "4 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}