Watch — The Tale of Lady Ok 27

CDN bypass demonstration The API returned playingUrl for The Tale of Lady Ok 27 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/54802/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 68

video_name 27 The Tale of Lady Ok (2025).mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 54802,
    "video_title": "The Tale of Lady Ok 27",
    "description": "Set in the Joseon period, Ok Tae-Young is an attorney with a secret identity. Her name, her husband, and her status are all fake. She meets Cheon Seung-Hwi, a traveling storyteller who falls in love with her at first sight.",
    "video_name": "27 The Tale of Lady Ok (2025).mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "68",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "33h 53m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/2aZamVUHVP5743.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2025-02-17",
    "age_id": "18 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "89379",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "226.23 MB",
    "create_date": "2025-02-17 06:02:23",
    "schedule_date": "17.02.2025 11:58:38 AM",
    "user_id": 1118356,
    "vj_id": 37,
    "video_status_id": 0,
    "network_id": "45.221.10.185",
    "user_access": "deny",
    "notification": "",
    "secduration": "121980.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj KS",
    "trailer_playing_url": "",
    "episodes": 32,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   28",
    "nxt_eps_id": 54803,
    "nxt_eps_title": "The Tale of Lady Ok 28",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "1 year ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}