Watch — The Legend of Xiao Chuo 22

CDN bypass demonstration The API returned playingUrl for The Legend of Xiao Chuo 22 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/17468/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 30

video_name xiao chuo 22.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 17468,
    "video_title": "The Legend of Xiao Chuo 22",
    "description": " Late in the 10th century, the Liao dynasty is at the zenith of its power. The omnipotent Liao rule much of what is now Northeast China, Mongolia, Russia, and much of the Korean Peninsula. Prime Minister Xiao Si Wen and Princess Yan have three daughters, with the youngest, Xiao Chao, their favourite.  Her heart belongs to the aspiring military commander, Han De Rang, whose family have served the Liao loyally for decades. However, her parents have other plans, sucessfully arranging her marriage to  Liao Emperor, Jin Zhong, whom she eventually concedes to marry.  As the Emperor\u2019s queen, she becomes a fierce defender of the Liao by assisting in mobilizing the army, heading a 10,000-strong cavalry and providing support to the civil administration. Eventually, she will earn the title of Empress.",
    "video_name": "xiao chuo 22.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "30",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "42h 12m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/560267040885.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2021-08-18",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "97163",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "322.47 MB",
    "create_date": "2021-08-18 11:38:56",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 29,
    "video_status_id": 0,
    "network_id": "45.221.8.174",
    "user_access": "deny",
    "notification": "",
    "secduration": "151920.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Little T",
    "trailer_playing_url": "",
    "episodes": 47,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   23",
    "nxt_eps_id": 17469,
    "nxt_eps_title": "The Legend of Xiao Chuo 23",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "5 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}