A Pakistani matrimonial platform called ‘Dil Ka Rishta’ has reportedly exposed 5,663 user profiles through a critical security flaw discovered in its mobile application programming interface.
Security researcher @itsRdhere published findings on May 11, 2026, revealing that the Laravel-based mobile API of the the platform contained a serious Insecure Direct Object Reference vulnerability.
The flaw allowed unauthorised users to access private profiles sequentially by manipulating numeric profile IDs, bypassing any form of authentication or access control on the platform.
Exposed data included full names, phone numbers, dates of birth, marital status, religion, caste, ethnicity, education level, professional details, income information, and personal photographs.
The researcher further found that profile images were stored in a publicly accessible Amazon S3 bucket, allowing thousands of personal photographs to be downloaded without any authentication requirement.
The report also stated that the platform lacked both proper authorisation checks and rate limiting protections, enabling rapid and automated access to large volumes of individual user profiles.
Affected users were located across multiple cities, with Karachi, Hyderabad, Lahore, Quetta, and Islamabad identified as the most heavily represented locations within the exposed dataset.
The report recommends that the platform implement stricter authorisation controls, replace sequential IDs with UUIDs, enable rate limiting, and secure all cloud storage buckets immediately.
Experts also advised that the platform rotate all exposed API credentials, notify affected users of the breach, and commission a full independent security audit of its systems.
