A security failure at one of India’s largest pharmacy chains allowed an outsider to gain complete administrative control of the platform, exposing customer order data and sensitive medication control functions, TechCrunch has learned exclusively.
The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail stores across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying an insecure “super-admin” application programming interface on DavaIndia’s website and privately sharing the details with Indian cybersecurity authorities.
Now the bug has been fixed and Zveare has made his findings public.
The exposure comes as Zota Healthcare is rapidly expanding its retail business at DavaIndia Pharmacy. The Gujarat-based company operates more than 2,300 DavaIndia stores across India, including 276 new stores announced in January, and plans to add 1,200 to 1,500 more over the next two years.
Zveare told TechCrunch that the flaw stemmed from an insecure management interface that allowed unauthenticated users to create highly privileged “super administrator” accounts.
That level of access could allow attackers to view thousands of online orders containing customer information, modify product listings and prices, create discount coupons and change settings that control whether certain medications require a prescription, the researchers said.
Zveare said that based on system timestamps, the vulnerable management interface appears to have been active since late 2024. This access exposed approximately 17,000 online orders and administrative controls across 883 stores, which could lead to changes in product prices, prescription requirements and promotional discounts, he said. Zveare said the access allowed him to edit website content that could be used to deface or disrupt.
Pharmacy order data may be particularly sensitive because it may reveal information about an individual’s health condition, medications, or other personal purchases. Even if there is no evidence of misuse, exposure of this data poses increased privacy and patient safety risks compared to other consumer information.
“Customer information is tied to orders,” Zveare said. “This includes your name, phone number, email ID, mailing address, total amount paid, and products purchased. Since this is a pharmacy, the products you purchase may be considered private and may be embarrassing to some.”
Zveare said it reported the issue to India’s national cyber emergency response agency, CERT-In, in August 2025. The vulnerability was fixed within a few weeks, but confirmation from the company took longer and was forwarded to cyber authorities in late November, he said.
Sujit Paul, CEO of Zota Healthcare, did not respond to an email sent by TechCrunch last month. The researchers said there was no indication that the flaw had been exploited before the patch was applied.
