India’s Largest Pharmacy Exposes Customer Personal Data and Internal System Access

A critical security lapse at Dava India, one of the country’s biggest generic pharmacy retail chains and a Zota Healthcare division, left customer personal details and backend systems wide open.

Security researcher Eaton uncovered the issue in August 2025, revealing an exposed API endpoint on the company’s website that bypassed authentication entirely.

The vulnerability hid in the site’s “forgot password” functionality, which openly referenced super-admin APIs. Without any checks, querying these endpoints dumped a complete list of super admin users.

While passwords stayed hashed, attackers could craft a simple POST request to register new super admin accounts, seizing full control over the pharmacy’s management dashboard.

Impact Category	Details
Data Exposure	17,000+ customer orders, personal details, pharmacist PINs
System Control	Full Super Admin access via insecure API
Product Manipulation	Ability to edit 1,500+ products, change prices, remove prescription requirements
Financial Risk	Creation of 100% off coupons, potential for theft
Operational Risk	Access to 883 store profiles and inventory management

This breach unlocked visibility into 883 store profiles and over 17,000 customer orders, exposing names, addresses, phone numbers, and pharmacist PINs.

Attackers gained power to tweak more than 1,500 products, altering prices, descriptions, or even disabling “prescription required” flags on controlled drugs.

Eaton proved this by toggling the setting off, enabling unrestricted orders of sensitive medications.

Financial sabotage loomed large too: the system let admins generate 100% discount coupons, slashing order totals to zero in tests.

Operational risks extended to “Sponsor Settings,” where homepage YouTube videos could be swapped for defacement or phishing lures.

No ransomware or data theft occurred, but the potential for privacy violations, fraud, and regulatory fallout was immense.

Eaton reported the flaw to India’s CERT-IN in August 2025. Dava India patched it by mid-September but delayed official confirmation until late November.

The fix blocks unauthorized account creation and enforces proper authentication.

This incident underscores API security gaps in e-commerce, especially healthcare platforms handling sensitive data.

Retail chains must audit exposed endpoints, enforce strict auth like JWT or OAuth, and conduct regular pentests.

For pharmacies, removing prescription gates risks public health and compliance with India’s DPDP Act.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post India’s Largest Pharmacy Exposes Customer Personal Data and Internal System Access appeared first on Cyber Security News.