A safety lapse by considered one of India’s largest pharmacy chains allowed outsiders to realize full administrative management of its platform, exposing buyer order information and delicate drug-control features, TechCrunch has solely realized.
The difficulty affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a big community of stores throughout India. Safety researcher Eaton Zveare informed TechCrunch that he found the flaw after figuring out insecure “tremendous admin” software programming interfaces on DavaIndia’s web site and privately shared particulars with Indian cybersecurity authorities.
The bug is now mounted, and Zveare disclosed his findings.
The publicity comes as Zota Healthcare quickly scales DavaIndia Pharmacy’s retail enterprise. The Gujarat-headquartered firm operates greater than 2,300 DavaIndia shops throughout India, together with 276 new outlets introduced in January, and plans to add another 1,200 to 1,500 over the subsequent two years.
Zveare informed TechCrunch that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated customers to create “tremendous admin” accounts with excessive privileges.
With that degree of entry, an attacker may view 1000’s of on-line orders containing buyer info, modify product listings and costs, create low cost coupons, and alter settings governing whether or not sure medicines required a prescription, the researcher stated.
Primarily based on system timestamps, Zveare stated the weak administrative interfaces appeared to have been reside since late 2024. The entry uncovered almost 17,000 on-line orders and administrative controls spanning 883 shops, he stated, permitting modifications to product pricing, prescription necessities, and promotional reductions. Zveare stated the entry allowed edits to web site content material that might have been used for defacement or disruption.
Pharmacy order information might be notably delicate, as it could reveal details about an individual’s well being situations, drugs or different personal purchases. Publicity of such information, even with out proof of misuse, carries heightened privateness and patient-safety dangers in contrast with different client info.
“Buyer info was linked to their orders,” stated Zveare. “This consists of title, cellphone numbers, e-mail IDs, mailing addresses, complete quantity paid, and the merchandise bought. Since it is a pharmacy, the merchandise being bought might be thought of personal and even embarrassing for some folks.”
Zveare stated he reported the difficulty to CERT-In, India’s nationwide cyber emergency response company, in August 2025. The vulnerability was mounted inside weeks, although affirmation from the corporate took longer and was supplied to the cyber authorities in late November, he stated.
Sujit Paul, chief govt of Zota Healthcare, didn’t reply to emails despatched by TechCrunch final month. The researcher stated there was no indication the flaw had been exploited earlier than it was patched.
