Watch — Joy of Life 11

CDN bypass demonstration The API returned playingUrl for Joy of Life 11 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/10053/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 23

video_name d1824~23.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 10053,
    "video_title": "Joy of Life 11",
    "description": "Fan Xian grew up in a small town by the sea with his grandmother, following a sudden visit of a poison master, his peaceful life quickly morph into one filled with danger and hardship. After becoming rather skilled with medicine, poison and martial arts, he goes to the capital to find out more about his mysterious mother. He ends up on an adventure of marvelling the world, getting tangled in politics, finding true love, figuring out his purpose in life and secrets of his world",
    "video_name": "d1824~23.mp4",
    "filehistory": " ~ JOY OF LIFE 11_x264.mp4 ~ ",
    "openload": "0",
    "embedurl": "",
    "serverhost": "23",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "43h 37m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/102380658313.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2020-06-03",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "66838",
    "access": "1",
    "paid_for": "1",
    "new_movie": "0",
    "priority": "No",
    "size": "280.83 MB",
    "create_date": "2020-06-11 16:10:32",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 29,
    "video_status_id": 0,
    "network_id": "154.225.225.219",
    "user_access": "deny",
    "notification": "",
    "secduration": "157020.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Little T",
    "trailer_playing_url": "",
    "episodes": 46,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   12",
    "nxt_eps_id": 10054,
    "nxt_eps_title": "Joy of Life 12",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "6 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}