The giant Indian pharmacy chain has exposed customer data and internal systems

A vulnerability committed by one of India’s largest pharmacy chains allowed foreigners to gain complete administrative control over its platform, leading to exposure of customer order data and sensitive medication monitoring functions, TechCrunch has learned exclusively.

The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail outlets across India. Security researcher Eaton Zephyr told TechCrunch that he discovered the flaw after identifying insecure “super-admin” APIs on the DavaIndia website and privately sharing the details with Indian cybersecurity authorities.

The bug has now been fixed, and Zveare has revealed his findings.

This exposure comes at a time when Zota Healthcare is rapidly expanding DavaIndia Pharmacy’s retail business. The Gujarat-headquartered company operates more than 2,300 DavaIndia stores across India, including 276 new outlets announced in January, and plans to add another 1,200 to 1,500 stores over the next two years.

Zveare told TechCrunch that the flaw stems from insecure administration interfaces, which allowed unauthenticated users to create “super admin” accounts with elevated privileges.

With this level of access, an attacker could view thousands of online orders containing customer information, modify product listings and prices, create discount coupons, and change settings that govern whether certain medications require a prescription, the researcher said.

Based on the system’s timestamps, Zephyr said the vulnerable administrative interfaces appeared to have been in place since late 2024. He said the access revealed nearly 17,000 online orders and administrative controls covering 883 stores, allowing for changes in product prices, prescription requirements and promotional discounts. Zveare said the access allowed modifications to the website content that could have been used to distort or disrupt.

Pharmacy order data can be particularly sensitive, because it may reveal information about a person’s health condition, medications, or other private purchases. Disclosing such data, even without evidence of misuse, carries higher privacy and patient safety risks than other consumer information.

“Customers’ information was linked to their orders,” Zephyr said. “This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and products purchased. Since this is a pharmacy, products purchased could be considered private and even embarrassing to some people.”

Zephyr said he reported the issue to CERT-In, India’s national cyber emergency response agency, in August 2025. The vulnerability was fixed within weeks, though confirmation from the company took longer and was submitted to cyber authorities in late November, he said.

Zota Healthcare CEO Sujit Paul did not respond to emails sent by TechCrunch last month. The researcher said that there is no indication that the flaw was exploited before it was corrected.