Watch — Gu Family Book

SECURITY PoC — NO AUTH

CDN bypass demo: stream served without an auth header

Up next

CDN bypass demonstration The API returned playingUrl for Gu Family Book with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/28063/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 37

video_name Watch Gu Family Book Episode 1.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 28063,
    "video_title": "Gu Family Book",
    "description": " Choi Kang Chi is a half-human and half-mythical-creature who was adopted by the lord of the Hundred Years Inn. He was the son of Gu Wol Ryung, the guardian spirit of Jiri Mountain, and the human Yoon Seo Hwa.\r\n\r\nDam Yeo Wool is a martial arts master and daughter of the leader of a secret organization protecting the region. She was sent to the Hundred Years Inn to observe and protect its lord.\r\n\r\nThey met at the Hundred Years Inn, the most popular inn in the region, and fell in love with each other despite Choi Kang Chi being a half-human. When their world turned into chaos, it is up to Choi Kang Chi to put it back into order; and up to Dam Yeo Wool to ensure that Choi Kang Chi's half-mythical-creature side does not get the best of him.",
    "video_name": "Watch Gu Family Book Episode 1.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "37",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "01h 02m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/DeG0Y9RUdd4250.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2022-10-08",
    "age_id": "PG",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "77104",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "519.55 MB",
    "create_date": "2022-10-08 11:52:42",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 26,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "deny",
    "notification": "No",
    "secduration": "3749.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Sammy",
    "trailer_playing_url": "",
    "episodes": 24,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   2",
    "nxt_eps_id": 28065,
    "nxt_eps_title": "Gu Family Book 2",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "4 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}