A major security vulnerability was recently discovered in the online infrastructure of Dava India, one of the country’s largest generic pharmacy retail chains.
The breach, identified by security researcher Eaton, exposed sensitive customer personal data and granted unauthorized access to internal management systems through insecure super administrator APIs.
The vulnerability stemmed from an exposed API endpoint on the Dava India website, which is a division of Zota Healthcare.
The researcher discovered that the site’s “forgot password” code referenced super-admin APIs.
Upon investigating these endpoints, the system returned a full list of super admin users without requiring any authentication.
While passwords were not exposed in plain text, the API allowed for the creation of new super administrator accounts.
By manipulating a POST request, the researcher was able to register a new admin profile and gain full control over the pharmacy’s backend operations.
This unauthorized access provided visibility into 883 pharmacy stores and nearly 17,000 customer orders.
The exposed order details included personal customer information, raising significant privacy concerns.
Beyond viewing data, the access level allowed for critical modifications to the system. An attacker could edit details for over 1,500 products, including changing prices and descriptions.
More alarmingly, the vulnerability allowed the removal of prescription requirements for controlled medications.
The researcher demonstrated that it was possible to toggle off the “prescription required” setting for specific drugs, potentially allowing anyone to order restricted substances without medical oversight.
Additionally, the system allowed for the creation of 100% discount coupons, which was successfully tested to reduce an order total to near zero.
The level of control extended to the website’s content as well. The “Sponsor Settings” panel allowed administrators to change the YouTube videos displayed on the homepage, which could have been used to deface the site or spread misinformation.
| Impact Category | Details |
|---|---|
| Data Exposure | 17,000+ customer orders, personal details, pharmacist PINs |
| System Control | Full Super Admin access via insecure API |
| Product Manipulation | Ability to edit 1,500+ products, change prices, remove prescription requirements |
| Financial Risk | Creation of 100% off coupons, potential for theft |
| Operational Risk | Access to 883 store profiles and inventory management |
According to Eaton India, the issue was reported to India’s Computer Emergency Response Team (CERT-IN) in August 2025.
While Dava India fixed the vulnerability by mid-September 2025, they did not officially confirm the resolution to CERT-IN until late November 2025. The flaw is now patched, preventing unauthorized account creation and access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
