According to new information released by TechCrunch, a security vulnerability of DavaIndia Pharmacy, Zota Healthcare's pharmaceutical branch in India, has allowed outsiders to take full control of their platform, leaking customer order data and sensitive drug control functions.
According to security research expert Eaton Zveare, he discovered the vulnerability after identifying unsafe "senior administrator" application programming interfaces (APIs) on DavaIndia's website and shared detailed information with Indian cybersecurity agencies.
This error has now been fixed and Zveare has announced his findings.
This information comes as Zota Healthcare is rapidly expanding its retail operations for DavaIndia Pharmacy. This Gujarat-based company operates more than 2,300 DavaIndia stores across India, including 276 new stores announced in January 2026, and plans to add 1,200 to 1,500 more stores in the next two years.
Zveare told TechCrunch that this vulnerability originated from an unsafe administration interface, allowing unverified users to create "super administrator" accounts with high authority.
According to the researcher, with that level of access, attackers can view thousands of online orders containing customer information, modify product and price lists, create discount vouchers and change settings to see if some drugs need prescriptions or not.
Based on the system timestamp, Zveare said vulnerable administrator interfaces seemed to have been operating since the end of 2024. He said the access revealed nearly 17,000 online orders and administrator controls spanning 883 stores, allowing product price changes, prescription requests and promotional discounts. Zveare said that the access allowed editing of website content, which could be used to sabotage or disrupt operations.
Prescription data can be particularly sensitive, as it can reveal information about a person's health status, medications, or other private purchases. Such data leaks, even without evidence of abuse, also pose higher risks to patient privacy and safety than other consumer information.
Customer information is linked to their orders. This includes names, phone numbers, email addresses, mail addresses, total amounts paid and purchased products. Because this is a pharmacy, information about purchased products can be considered private and even embarrassing to some people," Zveare said.
Mr. Zveare said he reported this issue to CERT-In, India's national cybersecurity emergency response agency, in August 2025. The vulnerability was fixed within a few weeks, although confirmation from the company took longer and was only provided to cybersecurity agencies at the end of November 2025.
