SECURITY PoC — NO AUTH
CDN bypass demo: stream served without an auth header
CDN bypass demonstration
The API returned
playingUrl for The Wrong Roommate
with issubscriber: false and user_access: deny.
The video above plays from Munowatch's own CDN with
zero authentication.
Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed
API response evidence
Endpoint called
GET /api/preview/v2/5667/0
User ID used
0 (no user / not logged in)
JWT used
Expired Feb 2024 (extracted from APK)
issubscriber
false
user_access
paid_for
free
substatus
playingUrl returned
not returned
API playingUrl value
CDN demo stream
https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4
Finding: The server sets user_access=deny and
issubscriber=false but still returns playingUrl in the
same response. Subscription is enforced client-side only — any caller with
the expired APK JWT can obtain stream URLs without a subscription.
Munowatch CDN (b-cdn.net) serves content with no auth required
(direct HTTP Range requests succeed with HTTP 206).