A security lapse by one of India’s largest pharmacy chains allowed an outsider to gain complete administrative control of its platform, exposing customer order data and sensitive medication management functions, TechCrunch has learned exclusively.
The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail stores across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying an insecure “super administrator” application programming interface on DavaIndia’s website and privately sharing the details with Indian cybersecurity authorities.
This bug has now been fixed and Zveare has disclosed his findings.
The revelation comes as Zota Healthcare rapidly expands its DavaIndia Pharmacy retail business. The Gujarat-headquartered company operates over 2,300 DavaIndia stores across India, including 276 new stores announced in January, and plans to add 1,200 to 1,500 more stores over the next two years.
Zveare told TechCrunch that the flaw was due to an insecure administrative interface that allowed unauthenticated users to create highly privileged “super administrator” accounts.
With this level of access, an attacker could view thousands of online orders, including customer information, change product listings and prices, create discount coupons, and change settings on whether certain drugs require a prescription, researchers said.
Zuber said that based on system timestamps, the vulnerable management interface appears to have been running since late 2024. The company said this access exposed nearly 17,000 online ordering and administrative controls across 883 stores, allowing changes to product pricing, prescription requirements, and promotional discounts. Zubair said this access allowed him to edit the website’s content, which could be used to deface or destroy it.
Pharmacy order data can be particularly sensitive because it can reveal information about an individual’s health, medications, and other personal purchases. When such data is made public, even without evidence of misuse, it poses increased privacy and patient safety risks compared to other consumer information.
“Customer information was tied to the order,” Zuber said. “This includes your name, phone number, email ID, mailing address, total amount paid and products purchased. Since this is a pharmacy, the products you purchase are considered private and may even be embarrassing to some.”
Zuber said he had reported the matter to CERT-In, India’s national cyber emergency response agency, in August 2025. The vulnerability was fixed within weeks, but confirmation from the company took longer and was provided to cyber authorities in late November, he said.
Zota Healthcare CEO Sujit Paul did not respond to an email sent by TechCrunch last month. Researchers said there was no evidence that the flaw had been exploited before the patch was applied.
Source link
