- DavaIndia Pharmacy Flaw Allows Unauthenticated Users to Create ‘Super Administrator’ Accounts with Full Privileges
- Exposed sensitive customer data linked to orders, including health conditions, medications and personal details.
- Bug responsibly disclosed in 2024, fixed by the end of 2025; there is no evidence of malicious exploitation, customer data is probably safe
A major Indian pharmacy chain operated a faulty platform that exposed highly sensitive data of millions of users, experts have warned.
DavaIndia Pharmacy, the pharmaceutical arm of Zota Healthcare, currently runs over 2,300 stores across the country; However, their platform suffered a bug that allowed unauthenticated users to create “super administrator” accounts.
These accounts came with high privileges, allowing attackers to access extremely sensitive information: they could exfiltrate customer information (including health conditions, medications, and other private purchases), alter product lists (they could modify entries and prices), create discounts, coupons, change which medications required a prescription, and more.
Fixing the error
The bug was discovered by security researcher Eaton Zveare, who said it was introduced in late 2024 and has since exposed nearly 17,000 online orders and administrative controls at more than 800 stores.
“Customer information was linked to their orders,” Zveare said. TechCrunch. “This includes name, phone numbers, email ID, postal addresses, total amount paid and the products purchased. Since this is a pharmacy, the products purchased could be considered private and even embarrassing to some people.”
In August 2025, Zveare responsibly disclosed his findings to CERT-In, the country’s national cybersecurity emergency response agency. After a few weeks, in mid-September, he noticed that the error had been fixed and asked for confirmation. However, DavaIndia did not give its confirmation until the end of November 2025.
Zveare said there is no evidence that a malicious actor discovered this flaw before and that customer data is most likely safe. Therefore, no action is required on the part of the user: passwords, payment details and other secrets remain safe.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
