A security lapse at one of India’s largest pharmacy chains allowed outsiders to gain full administrative control of its platform. This exposed customer order data and sensitive drug-control functions. The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail outlets across India.
Security researcher Eaton Zveare discovered the flaw after identifying insecure super admin application programming interfaces on DavaIndia’s website. He privately shared details with Indian cybersecurity authorities. The bug is now fixed.
The exposure comes as Zota Healthcare rapidly scales DavaIndia Pharmacy’s retail business. The Gujarat-headquartered company operates more than 2,300 DavaIndia stores across India. It announced 276 new outlets in January and plans to add another 1,200 to 1,500 over the next two years.
Zveare explained that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated users to create super admin accounts with high privileges. With that level of access, an attacker could view thousands of online orders containing customer information, modify product listings and prices, create discount coupons, and change settings governing whether certain medicines required a prescription.
Based on system timestamps, the vulnerable administrative interfaces appeared to have been live since late 2024. The access exposed nearly 17,000 online orders and administrative controls spanning 883 stores. This allowed changes to product pricing, prescription requirements, and promotional discounts. Zveare said the access also allowed edits to website content that could have been used for defacement or disruption.
Pharmacy order data can be particularly sensitive, as it may reveal information about a person’s health conditions, medications, or other private purchases. Exposure of such data carries heightened privacy and patient-safety risks compared with other consumer information.
Zveare stated that customer information was linked to their orders. This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people.
Zveare reported the issue to CERT-In, India’s national cyber emergency response agency, in August 2025. The vulnerability was fixed within weeks, though confirmation from the company took longer and was provided to the cyber authorities in late November.
Sujit Paul, chief executive of Zota Healthcare, did not respond to emails seeking comment. The researcher said there was no indication the flaw had been exploited before it was patched.