A security lapse by one in all India’s largest pharmacy chains allowed outsiders to realize full administrative management of its platform, exposing buyer order knowledge and delicate drug-control features, information.killnetswitch has solely realized.
The problem affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a big community of shops throughout India. Safety researcher Eaton Zveare instructed information.killnetswitch that he found the flaw after figuring out insecure “tremendous admin” software programming interfaces on DavaIndia’s web site and privately shared particulars with Indian cybersecurity authorities.
The bug is now fastened, and Zveare disclosed his findings.
The publicity comes as Zota Healthcare quickly scales DavaIndia Pharmacy’s retail enterprise. The Gujarat-headquartered firm operates greater than 2,300 DavaIndia shops throughout India, together with 276 new shops introduced in January, and plans so as to add one other 1,200 to 1,500 over the subsequent two years.
Zveare instructed information.killnetswitch that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated customers to create “tremendous admin” accounts with excessive privileges.
With that stage of entry, an attacker may view hundreds of on-line orders containing buyer info, modify product listings and costs, create low cost coupons, and alter settings governing whether or not sure medicines required a prescription, the researcher mentioned.
Based mostly on system timestamps, Zveare mentioned the weak administrative interfaces appeared to have been stay since late 2024. The entry uncovered practically 17,000 on-line orders and administrative controls spanning 883 shops, he mentioned, permitting adjustments to product pricing, prescription necessities, and promotional reductions. Zveare mentioned the entry allowed edits to web site content material that would have been used for defacement or disruption.
Pharmacy order knowledge may be notably delicate, as it might reveal details about an individual’s well being situations, medicines or different non-public purchases. Publicity of such knowledge, even with out proof of misuse, carries heightened privateness and patient-safety dangers in contrast with different shopper info.
“Buyer info was linked to their orders,” mentioned Zveare. “This contains identify, cellphone numbers, e mail IDs, mailing addresses, whole quantity paid, and the merchandise bought. Since it is a pharmacy, the merchandise being bought could possibly be thought of non-public and even embarrassing for some folks.”
Zveare mentioned he reported the difficulty to CERT-In, India’s nationwide cyber emergency response company, in August 2025. The vulnerability was fastened inside weeks, although affirmation from the corporate took longer and was offered to the cyber authorities in late November, he mentioned.
Sujit Paul, chief government of Zota Healthcare, didn’t reply to emails despatched by information.killnetswitch final month. The researcher mentioned there was no indication the flaw had been exploited earlier than it was patched.
