DavaIndia Pharmacy Flaw Exposed Sensitive Customer Data, Allowed Unauthorized "Super Admin" Access
A critical security vulnerability in DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare with over 2,300 stores across India, allowed unauthenticated users to create "super admin" accounts with full system privileges. The flaw, introduced in late 2024, exposed highly sensitive customer data tied to nearly 17,000 online orders across 800+ stores, including health conditions, medications, personal details, and purchase histories.
Security researcher Eaton Zveare discovered the bug, which enabled attackers to:
- Access and exfiltrate customer data (names, phone numbers, emails, addresses, and purchased products).
- Tamper with product listings, including modifying prices and prescription requirements.
- Create unauthorized discounts, coupons, and alter administrative controls.
Zveare described the exposed data as potentially "private and even embarrassing" due to the nature of pharmacy purchases. While no evidence suggests malicious exploitation, the flaw remained unpatched until mid-September 2025, following Zveare’s responsible disclosure to CERT-In (India’s national cybersecurity agency) in August 2025. DavaIndia confirmed the fix in late November 2025, though no customer action such as password resets was required, as payment data and other secrets remained secure.
The incident highlights risks in handling sensitive health-related data, particularly in large-scale digital pharmacy platforms.
Zota Healthcare TPRM report: https://www.rankiteo.com/company/zota-health-care-limited
DavaIndia Pharmacy TPRM report: https://www.rankiteo.com/company/davaindia-generic-pharmacy
"id": "zotdav1771331028",
"linkid": "zota-health-care-limited, davaindia-generic-pharmacy",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '17,000 online orders (800+ '
'stores)',
'industry': 'Healthcare/Pharmaceutical',
'location': 'India',
'name': 'DavaIndia Pharmacy (Zota Healthcare)',
'size': '2,300+ stores',
'type': 'Pharmacy'}],
'attack_vector': 'Unauthenticated access via security vulnerability',
'customer_advisories': 'No customer action required (e.g., password resets)',
'data_breach': {'data_exfiltration': 'Possible (no evidence of malicious '
'exploitation)',
'number_of_records_exposed': '17,000 online orders',
'personally_identifiable_information': 'Names, phone numbers, '
'emails, addresses',
'sensitivity_of_data': 'High (health conditions, medications)',
'type_of_data_compromised': 'Personal identifiable '
'information, health-related '
'data, purchase histories'},
'date_detected': '2024',
'date_publicly_disclosed': '2025-09',
'date_resolved': '2025-11',
'description': 'A critical security vulnerability in DavaIndia Pharmacy, the '
'pharmacy arm of Zota Healthcare, allowed unauthenticated '
"users to create 'super admin' accounts with full system "
'privileges. The flaw exposed highly sensitive customer data '
'tied to nearly 17,000 online orders across 800+ stores, '
'including health conditions, medications, personal details, '
'and purchase histories. Attackers could access and exfiltrate '
'customer data, tamper with product listings, create '
'unauthorized discounts, and alter administrative controls.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive health data',
'data_compromised': 'Names, phone numbers, emails, addresses, '
'purchased products, health conditions, '
'medications, purchase histories',
'identity_theft_risk': 'High',
'operational_impact': 'Unauthorized administrative access, '
'tampering with product listings and '
'discounts',
'payment_information_risk': 'None (payment data remained secure)',
'systems_affected': 'DavaIndia Pharmacy online platform'},
'investigation_status': 'Resolved',
'lessons_learned': 'Risks in handling sensitive health-related data in '
'large-scale digital pharmacy platforms',
'post_incident_analysis': {'corrective_actions': 'Vulnerability patched',
'root_causes': 'Critical security vulnerability '
"allowing unauthorized 'super "
"admin' access"},
'references': [{'source': 'Security researcher Eaton Zveare'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to CERT-In '
'(India’s national '
'cybersecurity agency)'},
'response': {'communication_strategy': 'Responsible disclosure to CERT-In, '
'public disclosure post-fix',
'containment_measures': 'Vulnerability patched',
'remediation_measures': 'Security flaw fixed'},
'title': 'DavaIndia Pharmacy Flaw Exposed Sensitive Customer Data, Allowed '
"Unauthorized 'Super Admin' Access",
'type': 'Data Breach',
'vulnerability_exploited': 'Critical security flaw allowing unauthorized '
"'super admin' account creation"}