Indian pharmacy chain exposes customer data due to security lapse
What's the story
One of India's largest pharmacy chains, DavaIndia Pharmacy, has experienced a security lapse, according to TechCrunch. The issue allowed unauthorized access to its platform and exposed customer order data as well as sensitive drug-control functions. The vulnerability was discovered by security researcher Eaton Zveare who found insecure "super admin" application programming interfaces (APIs) on the company's website.
Research revelations
Vulnerability reported to Indian cybersecurity authorities
Zveare reported his findings to Indian cybersecurity authorities after discovering the flaw. The issue is particularly concerning as Zota Healthcare, the parent company of DavaIndia Pharmacy, is rapidly expanding its retail business. The Gujarat-based firm already has over 2,300 DavaIndia stores in India and plans to open another 1,200-1,500 in the next two years.
Vulnerability details
Insecure admin interfaces allowed unauthenticated access
The security flaw was due to insecure admin interfaces that let unauthenticated users create "super admin" accounts with high privileges. This level of access could have been exploited by an attacker to view thousands of online orders with customer information, modify product listings and prices, create discount coupons, and even change settings governing whether certain medicines required a prescription.
Data exposure
Exposed data included nearly 17,000 online orders
The vulnerable administrative interfaces were live since late 2024, according to system timestamps. They exposed nearly 17,000 online orders and administrative controls across 883 stores. This access allowed changes to product pricing, prescription requirements, and promotional discounts. Zveare noted that this access could have been used for defacement or disruption by editing website content.
Privacy concerns
Pharmacy order data is more sensitive than regular consumer information
Pharmacy order data is particularly sensitive as it can reveal information about a person's health conditions, medications or other private purchases. The exposure of such data, even without evidence of misuse, poses greater privacy and patient-safety risks than other consumer information. "Customer information was linked to their orders," Zveare said. "This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased."
Issue resolution
Vulnerability fixed within weeks
Zveare reported the vulnerability to CERT-In, India's national cyber emergency response agency, in August 2025. The issue was fixed within weeks but confirmation from the company took longer. It was only provided to cyber authorities in late November. However, there is no indication that this flaw had been exploited before it was patched.