Pakistani matrimonial platform ‘Dil Ka Rishta’ has exposed personal data of 5,663 users through a critical vulnerability in its mobile application programming interface.
The vulnerability was disclosed in a published security report dated 11 May 2026, raising serious concerns about data privacy protections in local Pakistani digital platforms and applications.
The report identified a flaw in the mobile API of the platform that allowed user profiles to be accessed sequentially by manipulating numeric profile identification numbers within the system.
Nature of the Vulnerability
The security report described the issue as an Insecure Direct Object Reference, commonly known as an IDOR vulnerability, found within Dil Ka Rishta’s Laravel-based mobile API infrastructure.
IDOR vulnerabilities allow unauthorised users to access private records by simply altering object identifiers within API requests, bypassing standard authentication and access control measures entirely.
The platform allegedly lacked proper authorisation checks and rate limiting, enabling rapid automated access to thousands of user profiles in a short period.
The researcher, identified as @itsRdhere (Telegram), claimed the platform lacked both proper authorisation checks and rate limiting protections at the time of the reported discovery.
Data Exposed
According to the report, the exposed user data included full names, phone numbers, dates of birth, and marital status, alongside religion, caste, ethnicity, and detailed educational information.
The breach also reportedly exposed users’ profession details, income information, and profile photographs, representing a significant volume of highly sensitive and personal biographical data.
The researcher further alleged that profile images were stored in a publicly accessible Amazon S3 cloud storage bucket, with no authentication restrictions in place to prevent direct access.
This configuration reportedly allowed thousands of personal photographs to be downloaded directly from the bucket without requiring any login or verification credentials whatsoever.
Wider Cybersecurity Context
Cybersecurity experts have frequently warned that APIs remain 1 of the most overlooked attack surfaces in modern software applications, particularly those serving large consumer audiences.
Apps that expose sequential numeric identifiers without strict access validation are considered especially vulnerable to IDOR-style attacks, which require minimal technical expertise to execute.
Weak cloud storage configurations and publicly accessible storage buckets have been linked to multiple large-scale data leaks affecting millions of users globally in recent years.
The security report outlined several immediate remediation steps it called on Dil Ka Rishta to implement in order to protect remaining user data from further potential exposure.
- Implement stricter authorisation controls across all API endpoints immediately
- Replace sequential numeric IDs with universally unique identifiers (UUIDs)
- Enable rate limiting to prevent automated or bulk data harvesting
- Secure all cloud storage buckets and restrict public access permissions
- Rotate any exposed API credentials that may have been compromised
- Notify all affected users and conduct a full independent security audit
