Watch — The Emperor: Owner of the Mask 9

CDN bypass demonstration The API returned playingUrl for The Emperor: Owner of the Mask 9 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/15445/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 26

video_name empror ruler master of the mask 9_x264.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 15445,
    "video_title": "The Emperor: Owner of the Mask 9",
    "description": " The story of a crown prince named Lee Sun who fights the Pyeonsuhwe society that holds absolute power over the kingdom and also controls the water supply by privatizing it. The drama involves romance, action and court politics as the Crown prince, Lee Sun fights heroically on behalf of the people and Han Ga Eun finds herself falling in love with him instead of avenging the execution of her father at his hands. In \u201cThe Emperor: Owner of the Mask,\u201d there is palace intrigue revolving around the true power behind the throne, and a plot twist when the prince switches identities with a commoner. But the overall theme of the show is love, which underlies the romance between a prince and his girl as well as the compassion for the country and people.",
    "video_name": "empror ruler master of the mask 9_x264.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "26",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "33h 32m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/865085759945.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2021-05-17",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "16187",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "216.02 MB",
    "create_date": "2021-05-17 13:17:11",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 24,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "deny",
    "notification": "",
    "secduration": "120720.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Hd",
    "trailer_playing_url": "",
    "episodes": 40,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   10",
    "nxt_eps_id": 15446,
    "nxt_eps_title": "The Emperor: Owner of the Mask 10",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "5 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}