- DavaIndia Pharmacy flaw allows unauthenticated users to create “super admin” accounts with full privileges
- Exposed sensitive customer data related to orders, including health status, medications, and personal information
- Bug responsibly disclosed in 2024, fixed at the end of 2025; no evidence of malicious exploitation, customer data is likely secure
A major Indian pharmacy chain operated a faulty platform that exposed the highly sensitive data of millions of users, experts have warned.
DavaIndia Pharmacy, the pharmaceutical arm of Zota Healthcare, currently operates over 2,300 stores across the country. However, its platform was bugged to allow unauthenticated users to create “super-admin” accounts.
These accounts were highly privileged, allowing attackers to access extremely sensitive information: they could exfiltrate customer information (including health status, medications, and other private purchases), falsify product listings (they could change entries and prices), create discounts, coupons, change medications requiring a doctor’s prescription, and much more.
Bug fix
The bug was discovered by security researcher Eaton Zveare, who said the bug was introduced in late 2024 and has since exposed nearly 17,000 online orders and administrative controls across more than 800 stores.
“Customer information was linked to their orders,” Zveare said. TechCrunch. “This includes name, phone numbers, email ids, postal addresses, total amount paid and products purchased. Since this is a pharmacy, the products purchased could be considered private and even embarrassing to some people.”
In August 2025, Zveare responsibly disclosed his findings to CERT-In, the country’s national cybersecurity emergency response agency. After a few weeks, in mid-September, he noticed that the bug was fixed and asked for confirmation. However, DavaIndia only gave its confirmation at the end of November 2025.
Zveare said there is no evidence that a malicious actor has ever discovered this flaw and that customer data is most likely secure. Therefore, no action is required from the user: passwords, payment data and other secrets remain secure.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
