A security lapse at DavaIndia Pharmacy allowed outsiders to gain full administrative control of the company’s platform, exposing customer order data and sensitive controls over medicines, TechCrunch has learned. The issue affected the pharmacy arm of Zota Healthcare, which runs a large retail network across India. Security researcher Eaton Zveare said the flaw involved insecure “super admin” application programming interfaces on DavaIndia’s website. The company has fixed the bug, and Zveare has disclosed his findings.
What Was Exposed
With super admin access, an attacker could view thousands of online orders that included customer information, Zveare said. He said the access also allowed changes to product listings and prices, creation of discount coupons, and adjustments to settings that determine whether certain medicines require a prescription. The same access could be used to edit website content in ways that could enable defacement or disruption. Zveare said the exposed data included names, phone numbers, email addresses, mailing addresses, total amounts paid, and the products purchased. He said pharmacy orders can be particularly sensitive because they can reveal health conditions, medications, or other private purchases.
How The Bug Worked
Zveare said the flaw stemmed from insecure administrative interfaces that allowed unauthenticated users to create “super admin” accounts with high privileges. Based on system timestamps, he said the vulnerable interfaces appeared to have been live since late 2024. He said the access exposed nearly 17,000 online orders and administrative controls spanning 883 stores.
Scale Of The Business
The exposure comes as Zota Healthcare expands DavaIndia Pharmacy’s retail operation. The Gujarat based company operates more than 2,300 DavaIndia stores across India, announced 276 new outlets in January, and plans to add another 1,200 to 1,500 stores over the next two years.
Timeline And Disclosure
Zveare said he reported the issue to CERT-In, India’s national cyber emergency response agency, in August 2025. He said the vulnerability was fixed within weeks, while confirmation from the company to the authorities arrived later, in late November. He said there was no indication the flaw had been exploited before it was patched.
Featured image credits: Pexels
For more stories like it, click the +Follow button at the top of this page to follow us.