Watch — Queen of Masks 8

SECURITY PoC — NO AUTH

CDN bypass demo: stream served without an auth header

Up next

CDN bypass demonstration The API returned playingUrl for Queen of Masks 8 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/40454/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 55

video_name Queen of Masks (2023) Episode 8.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 40454,
    "video_title": "Queen of Masks 8",
    "description": " Do Jae Yi is a human rights lawyer who has built up a large following on social media. She has a reputation for defending the vulnerable and victims of sexual crime. Ten years ago, she was the victim of a terrible, haunting crime. Now, she has become a veritable \u201cqueen of masks.\u201d To most of the world, she is a paragon of justice. But behind closed doors, she is exploiting a corrupt politician. And she is secretly helping the current mayor to get out of messy situations \u2013 as part of her own plan to become the next mayor.\r\n\r\nDo Jae Yi is friends with two powerful women. The first is Joo Yoo Jung, the director of an influential arts foundation. The second is the hard-working and ambitious Yoon Hae Mi, who worked her way up from the bottom at a prestigious hotel to the position of Vice President. The three women\u2019s former friend, Go Yoo Na feels she was betrayed by the rest of the women. She moved to the USA in a bid to start her life again. But when she returns to South Korea in search of her missing daughter, her path crosses with those of her former friends. Could revenge be in the cards when they reunite?",
    "video_name": "Queen of Masks (2023) Episode 8.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "55",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "36h 26m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/2VnycqjzVX1628.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2023-08-18",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "33799",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "319.65 MB",
    "create_date": "2023-08-18 16:08:03",
    "schedule_date": "18.08.2023 04:28:18 PM",
    "user_id": 1118356,
    "vj_id": 37,
    "video_status_id": 0,
    "network_id": "41.190.134.203",
    "user_access": "deny",
    "notification": "",
    "secduration": "131160.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj KS",
    "trailer_playing_url": "",
    "episodes": 32,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   9",
    "nxt_eps_id": 40455,
    "nxt_eps_title": "Queen of Masks 9",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "3 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}