- DavaIndia Pharmacy flaw let unauthenticated users create “super admin” accounts with full privileges
- Exposed sensitive customer data tied to orders, including health conditions, medications, and personal details
- Bug responsibly disclosed in 2024, fixed by late 2025; no evidence of malicious exploitation, customer data likely secure
A major Indian pharmacy chain operated a flawed platform which exposed highly sensitive data of millions of users, experts have warned.
DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, currently runs more than 2,300 stores across the country - however, its platform was bugged in a way that allowed unauthenticated users to create “super admin” accounts.
These accounts came with high privileges, allowing the attackers to access extremely sensitive information: they could exfiltrate customer information (including health conditions, medications, and other private purchases), tamper with product listings (they could modify the entries and prices), create discounts, coupons, change which drugs required a doctor’s prescription, and more.
Fixing the bug
The bug was discovered by security researcher Eaton Zveare, who said the bug was introduced in late 2024 and has since exposed nearly 17,000 online orders and admin controls across more than 800 stores.
“Customer information was linked to their orders,” Zveare told TechCrunch. “This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people.”
In August 2025, Zveare responsibly disclosed his findings to CERT-In, the country’s national cybersecurity emergency response agency. After a few weeks, in mid-September, he noticed the bug was fixed, and asked for confirmation. However, DavaIndia only gave its confirmation in late November 2025.
Zveare said there is no evidence that a malicious actor discovered this flaw before, and that customer data is most likely secure. Therefore, no action is required on the user side: passwords, payment data, and other secrets, remain secure.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
