A security flaw at one of India’s largest pharmacy chains allowed outsiders to gain full administrative control of its platform, exposing customer order data and sensitive drug control functions, TechCrunch has learned exclusively.
The issue affected DavaIndia Pharmacy, the pharmacy division of Zota Healthcare, which operates a large network of retail stores across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after spotting insecure “super admin” APIs on DavaIndia’s website and sharing private information with Indian cybersecurity authorities.
The bug is now fixed and Zveare revealed his findings.
The report comes as Zota Healthcare is rapidly scaling up the retail business of DavaIndia Pharmacy. The Gujarat-based company has more than 2,300 DavaIndia stores across India, including 276 new points of sale announced in January and plans to add another 1,200 to 1,500 the next two years.
Zveare told TechCrunch that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated users to create “super admin” accounts with elevated privileges.
With that level of access, an attacker could view thousands of online orders containing customer information, modify product listings and prices, create discount coupons and change settings governing whether certain drugs require a prescription, the researcher said.
Based on system timestamps, Zveare said the vulnerable administrative interfaces appeared to be live as of late 2024. The access revealed nearly 17,000 online orders and administrative controls covering 883 stores, he said, allowing for changes to product pricing, prescription requirements and promotional discounts. Zveare said the access allowed modifications to website content that could have been used to distort or disrupt.
Pharmacy order data can be particularly sensitive as it may reveal information about an individual’s health status, medications or other private purchases. Exposure of such data, even without evidence of misuse, carries increased risks to patient privacy and security compared to other consumer information.
“Customer information was linked to their orders,” Zveare said. “This includes name, phone numbers, email IDs, postal addresses, total amount paid and products purchased. As this is a pharmacy, the products purchased could be considered private and even embarrassing to some people.”
Zveare said he reported the issue to CERT-In, India’s national cyber emergency response agency, in August 2025. The vulnerability was patched within weeks, though confirmation from the company took longer and was given to cyber authorities in late November, he said.
Sujit Paul, CEO of Zota Healthcare, did not respond to emails sent by TechCrunch last month. The researcher said there was no indication that the flaw had been exploited before it was patched.
