KARACHI – Dil Ka Rishta app, a popular online matrimonial platform in Pakistan, built its reputation as a modern digital solution for traditional matchmaking. However, reports suggest it may suffered a serious security issue involving an API flaw and misconfigured cloud storage.
This alleged vulnerability could have exposed sensitive personal data of thousands of users, raising major concerns about privacy and data protection on the platform.
A major cybersecurity scare emerged in Pakistan’s rapidly growing online matrimonial sector, as widely used matchmaking platform Dil Ka Rishta is now facing serious allegations of a large-scale data exposure incident involving sensitive personal information of thousands of users.
According to reports, the platform, known for its strong digital branding and modern approach to traditional rishta matchmaking, may have been affected by a critical API vulnerability combined with a misconfigured cloud storage system, potentially exposing data of more than 5,000 to 5,600 users.
The alleged breach is said to have revealed highly sensitive personal details, including full names, phone numbers, dates of birth, marital status, religious background, caste and ethnicity information, educational qualifications, professional details, income-related data, and even profile photographs.
Investigators and reports suggest the issue originated from an Insecure Direct Object Reference (IDOR) vulnerability, a serious security flaw where applications expose internal identifiers, such as sequential user profile IDs, without proper authorization checks. By manipulating these IDs in API requests, attackers could potentially access other users’ private profiles without authentication.
The platform’s backend, reportedly built on Laravel, is alleged to have lacked strong API-level authorization controls. This weakness may have enabled systematic access to user profiles simply by incrementing numeric identifiers, allowing automated extraction of stored records in sequence.
Adding to the concern, a security researcher identified as itsRdhere reportedly exposed the issue on Telegram, claiming that the system also lacked proper rate limiting protections. Without such safeguards, automated bots can repeatedly send requests, making large-scale scraping of sensitive data significantly easier.
One of the most alarming claims involves the platform’s cloud infrastructure, where user profile images were allegedly stored in an Amazon S3 bucket configured without proper access restrictions. In such misconfigured environments, files can become publicly accessible, allowing anyone with a direct link to download images without authentication.
Cybersecurity experts widely warn that APIs are among the most vulnerable parts of modern applications, as they directly connect to backend systems and can unintentionally expose structured user data if not carefully secured.
The incident raises serious concerns due to the platform’s massive user base, reportedly exceeding 7 million downloads, with millions of active profiles including verified users. While primarily operating in Pakistan, Dil Ka Rishta also serves a large audience across the Pakistani and Muslim diaspora in countries such as the UK, UAE, and Canada.
The app has positioned itself as a modern alternative to traditional arranged marriage systems, offering features such as AI-based matchmaking, strict profile verification, advanced search filters (city, profession, education, community preferences), and secure messaging tools. It also allows parents or family members to manage profiles on behalf of users, reflecting cultural matchmaking traditions.
As of now, Dil Ka Rishta has not issued official detailed public response regarding the alleged vulnerability, while concerns continue to grow over user privacy, data security, and potential misuse of exposed personal information.
Pakistani citizens’, officials’ data sold online; interior minister orders inquiry
Junaid Khan
About the Author
