A major security lapse at DavaIndia Pharmacy allowed outsiders to gain full administrative access to its platform, exposing customer order data and sensitive internal controls. The issue was revealed by a publication after security researcher Eaton Zveare identified insecure super admin application programming interfaces on the company’s website and shared the details with Indian cybersecurity authorities.
The vulnerability affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large retail network across India. Zveare found that unauthenticated users could create super admin accounts with high level privileges due to insecure admin interfaces. With such access, an attacker could view thousands of online orders containing customer information, modify product listings and prices, generate discount coupons and change settings related to prescription requirements for certain medicines.
According to the researcher, system timestamps showed that the vulnerable admin interfaces had been active since late 2024. The exposure impacted nearly 17000 online orders and administrative controls across 883 stores. It allowed potential changes to product pricing, prescription rules and promotional discounts. Zveare also said the access made it possible to edit website content, which could have been used for defacement or service disruption. “Customer information was linked to their orders,” said Zveare. “This includes name, phone numbers, email IDs, mailing addresses, total amount paid and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people.”
Pharmacy data is especially sensitive as it may reveal details about a person’s health conditions, medications, or private purchases. Zveare reported the issue to CERT In in August 2025. The flaw was fixed within weeks, though confirmation from the company was provided to cyber authorities in late November. Zota Healthcare, headquartered in Gujarat, operates more than 2300 DavaIndia stores, including 276 new outlets announced in January and plans to add 1200 to 1500 more over the next 2 years. Sujit Paul, chief executive of Zota Healthcare, did not respond to emails sent by the publication last month. The researcher said there was no evidence that the vulnerability had been exploited before it was patched.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
