Indian pharmacy giant's website leaked user data and order details

A critical flaw in the website of Indian pharmacy giant Dava India enabled hackers to view personal and healthcare information of thousands of customers, edit store details and change prices.

An ethical hacker, using the pseudonym "Eaton" recently disclosed how they exploited a vulnerability in the "forgot password" section on Dava India’s website to create a super admin profile and perform a range of administrator tasks on the website.

Owned by Surat-based Zota Healthcare Ltd, Dava India is one of India’s largest private generic pharmacy retail chains, providing generic medicines at an affordable cost through a network of more than 2,100 retail stores spread across all states and union territories.

Eaton said they navigated to an administrator login page on the pharmacy retailer’s website and when they clicked on the "forgot password" link, they found that the forgot password code mentioned super-admin APIs and they could view the entire list of super admin users without authenticating.

The ethical hacker then went on to create their own super admin account and could then view the details of as many as 883 Dava India online stores, edit individual store details and see details of pharmacists assigned to each store.

They could also view individual online orders, including order details and the details of people placing online orders with the pharmacy; edit details like names, description and prices of more than 1,500 products; view/modify inventory numbers, apply discount codes, and noticed that some prescription drugs could be ordered without sharing a prescription.

Eaton reported the vulnerability to Dava India on August 20, 2025 and noticed that the issue was resolved on or before September, 16, 2025, but did not receive official confirmation from the pharmacy chain until November 28 that the vulnerability had been resolved. It is not known how long the vulnerability lingered on the website before being discovered by the hacker.