Indian pharmacy chain giant exposed customer data and internal systems

A information lapse by 1 of India’s largest pharmacy chains allowed outsiders to summation afloat administrative power of its platform, exposing lawsuit bid information and delicate drug-control functions, TechCrunch has exclusively learned.

The contented affected DavaIndia Pharmacy, the pharmacy limb of Zota Healthcare, which operates a ample web of retail outlets crossed India. Security researcher Eaton Zveare told TechCrunch that helium discovered the flaw aft identifying insecure “super admin” exertion programming interfaces connected DavaIndia’s website and privately shared details with Indian cybersecurity authorities.

The bug is present fixed, and Zveare disclosed his findings.

The vulnerability comes arsenic Zota Healthcare rapidly scales DavaIndia Pharmacy’s retail business. The Gujarat-headquartered institution operates much than 2,300 DavaIndia stores crossed India, including 276 caller outlets announced successful January, and plans to add different 1,200 to 1,500 implicit the adjacent 2 years.

Zveare told TechCrunch that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated users to make “super admin” accounts with precocious privileges.

With that level of access, an attacker could presumption thousands of online orders containing lawsuit information, modify merchandise listings and prices, make discount coupons, and alteration settings governing whether definite medicines required a prescription, the researcher said.

Based connected strategy timestamps, Zveare said the susceptible administrative interfaces appeared to person been unrecorded since precocious 2024. The entree exposed astir 17,000 online orders and administrative controls spanning 883 stores, helium said, allowing changes to merchandise pricing, medicine requirements, and promotional discounts. Zveare said the entree allowed edits to website contented that could person been utilized for defacement oregon disruption.

Pharmacy bid information tin beryllium peculiarly sensitive, arsenic it whitethorn uncover accusation astir a person’s wellness conditions, medications oregon different backstage purchases. Exposure of specified data, adjacent without grounds of misuse, carries heightened privateness and patient-safety risks compared with different user information.

“Customer accusation was linked to their orders,” said Zveare. “This includes name, telephone numbers, email IDs, mailing addresses, full magnitude paid, and the products purchased. Since this is simply a pharmacy, the products being purchased could beryllium considered backstage and adjacent embarrassing for immoderate people.”

Zveare said helium reported the contented to CERT-In, India’s nationalist cyber exigency effect agency, successful August 2025. The vulnerability was fixed wrong weeks, though confirmation from the institution took longer and was provided to the cyber authorities successful precocious November, helium said.

Sujit Paul, main enforcement of Zota Healthcare, did not respond to emails sent by TechCrunch past month. The researcher said determination was nary denotation the flaw had been exploited earlier it was patched.