Indian Pharmacy Giant DavaIndia Exposed Customer Data Through Admin Flaw
Security lapse allowed outsiders to create “super admin” accounts, access orders, and alter drug controls.
A security lapse at DavaIndia Pharmacy, owned by Zota Healthcare, exposed customer order data and critical administrative controls.
The flaw allowed unauthenticated outsiders to gain full administrative access to the platform.
Security researcher Eaton Zveare discovered the issue and reported it to Indian authorities.
- Platform: DavaIndia Pharmacy
- Issue: insecure “super admin” APIs
- Impact: customer data and system controls exposed
Super Admin Access Without Authentication
Zveare said the vulnerability stemmed from insecure administrative interfaces.
The flaw allowed attackers to create “super admin” accounts without authentication.
With that level of access, a malicious actor could:
- View thousands of online orders
- Modify product listings and pricing
- Create discount coupons
- Change prescription requirements
Administrative access also allowed edits to website content, raising risks of defacement or disruption.
In effect, outsiders could manipulate both commerce and drug-control settings.
Nearly 17,000 Orders Exposed
Based on system timestamps, the vulnerable interfaces appeared active since late 2024.
Zveare estimated exposure of nearly 17,000 online orders and administrative controls across 883 stores.
DavaIndia operates more than 2,300 stores nationwide, including 276 new outlets announced in January, with plans to add 1,200 to 1,500 more over two years.
- 17,000 orders potentially exposed
- 883 stores affected at admin level
- 2,300+ stores in operation
The exposure occurred as the Gujarat-based company rapidly expanded its retail footprint.
Sensitive Pharmacy Data at Risk
Pharmacy data carries heightened privacy risks.
Order records may reveal medical conditions, medications, or other sensitive purchases.
“Customer information was linked to their orders,” Zveare said.
He noted exposed data included names, phone numbers, email addresses, mailing addresses, total amounts paid, and purchased products.
For a pharmacy chain, such details can be deeply personal.
Even without confirmed misuse, the exposure raises patient-safety and reputational concerns.
Disclosure and Patch Timeline
Zveare reported the issue to CERT-In, India’s national cyber emergency agency, in August 2025.
The vulnerability was fixed within weeks, he said.
Formal confirmation from the company was provided to authorities in late November.
- Reported: August 2025
- Fixed: within weeks
- Confirmation: November 2025
Zveare said he found no evidence the flaw was exploited before patching.
Company Response
TechCrunch contacted Sujit Paul, CEO of Zota Healthcare, but did not receive a response.
The company has not publicly disclosed the incident.
Is rapid retail expansion outpacing cybersecurity controls?
As pharmacy platforms digitize sensitive health transactions at scale, administrative security becomes more than an IT concern — it becomes a public trust issue.
TL;DR: A vulnerability at DavaIndia Pharmacy allowed unauthenticated users to create super admin accounts, exposing nearly 17,000 customer orders and administrative controls across 883 stores. The flaw, active since late 2024, was reported in August 2025 and fixed within weeks. No confirmed misuse was found.
AI summary:
- Insecure admin APIs exposed platform
- 17,000 pharmacy orders potentially visible
- 883 stores affected at admin level
- Reported to CERT-In in August 2025
- Vulnerability patched within weeks
