DavaIndia Pharmacy Security Flaw Exposed Customer Data and Admin Controls A critical security vulnerability in DavaIndia Pharmacy, the pharmacy arm of India’s Zota Healthcare, allowed unauthorized access to full administrative controls and sensitive customer order data. The flaw, discovered by security researcher Eaton Zveare, stemmed from insecure "super admin" application programming interfaces (APIs) on the company’s platform. The exposure enabled unauthenticated users to create high-privilege accounts, granting access to nearly 17,000 online orders and administrative functions across 883 stores. Attackers could have viewed customer details including names, phone numbers, email addresses, and purchased medications while also modifying product prices, prescription requirements, and promotional discounts. The vulnerable interfaces had been active since late 2024, with system timestamps confirming the exposure. Zveare reported the issue to India’s national cyber emergency response agency, CERT-In, in August 2025. The flaw was patched within weeks, though official confirmation from Zota Healthcare was delayed until late November. The company, which operates over 2,300 retail outlets across India and plans to expand further, did not respond to requests for comment. There is no evidence the vulnerability was exploited before being fixed. The incident highlights the heightened privacy risks associated with pharmacy data, as exposed order details could reveal sensitive health information. Zota Healthcare’s rapid expansion including 276 new stores announced in January 2025 and plans for 1,200–1,500 additional outlets underscores the potential scale of such vulnerabilities.

DavaIndia Pharmacy Flaw Exposed Sensitive Customer Data, Allowed Unauthorized "Super Admin" Access A critical security vulnerability in DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare with over 2,300 stores across India, allowed unauthenticated users to create "super admin" accounts with full system privileges. The flaw, introduced in late 2024, exposed highly sensitive customer data tied to nearly 17,000 online orders across 800+ stores, including health conditions, medications, personal details, and purchase histories. Security researcher Eaton Zveare discovered the bug, which enabled attackers to: - Access and exfiltrate customer data (names, phone numbers, emails, addresses, and purchased products). - Tamper with product listings, including modifying prices and prescription requirements. - Create unauthorized discounts, coupons, and alter administrative controls. Zveare described the exposed data as potentially "private and even embarrassing" due to the nature of pharmacy purchases. While no evidence suggests malicious exploitation, the flaw remained unpatched until mid-September 2025, following Zveare’s responsible disclosure to CERT-In (India’s national cybersecurity agency) in August 2025. DavaIndia confirmed the fix in late November 2025, though no customer action such as password resets was required, as payment data and other secrets remained secure. The incident highlights risks in handling sensitive health-related data, particularly in large-scale digital pharmacy platforms.