Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A security flaw at DavaIndia Pharmacy allowed attackers to access customers’ data and more

A security flaw at DavaIndia Pharmacy exposed customer data and gave outsiders full admin control of its systems. DavaIndia is a large Indian pharmacy retail chain focused on selling affordable generic medicines. Operated by Zota Health Care Ltd., the brand promotes low-cost alternatives to branded drugs to make healthcare more accessible across India. DavaIndia runs […]

DavaIndia Pharmacy

A security flaw at DavaIndia Pharmacy exposed customer data and gave outsiders full admin control of its systems.

DavaIndia is a large Indian pharmacy retail chain focused on selling affordable generic medicines. Operated by Zota Health Care Ltd., the brand promotes low-cost alternatives to branded drugs to make healthcare more accessible across India.

DavaIndia runs hundreds of franchised stores nationwide and positions itself as a value-driven pharmacy network, offering prescription medicines, over-the-counter products, and wellness items at discounted prices. Its business model centers on reducing medicine costs while expanding access in both urban and semi-urban areas.

A security vulnerability at DavaIndia Pharmacy allowed unauthorized access to its platform, exposing customer order data and granting full administrative control. The weakness also put sensitive drug-control functions at risk, raising serious concerns about data protection and the integrity of its internal systems.

The security researcher Eaton Zveare disclosed serious flaws in DavaIndia. While analyzing its website, the researcher found an exposed admin subdomain that allowed unauthenticated access to super-admin APIs.

“The site is developed using Next.js, so naturally there’s plenty of client-side JS to pick through. One part that stood out immediately was the forgot password code that mentioned super-admin APIs” wrote the expert. “As a test, I went to the endpoint in the browser and was presented with the list of super admin users! All without authenticating.”

By crafting a POST request, he was able to create a new super admin account and gain full control of the platform.

With this access, it was possible to view and edit stores, pharmacist details, customer orders, personal data, products, inventory, and coupons. The researcher even generated a 100% discount coupon and demonstrated how prescription requirements could potentially be bypassed, highlighting major risks to customer privacy and drug controls.

“Some items require a prescription to purchase. This is controlled by a toggle” continues the expert. “If you wanted to buy something that would require a prescription, you could in theory toggle this off and then submit your order. This was not tested, but it is highly likely it would have worked.”

An exposed admin panel included a “Sponsor Settings” feature that allowed control over homepage videos, meaning an attacker could have swapped content, even pulling off a Rick Roll prank. The flaw was reported on August 20, 2025, and fixed within a month, though confirmation was delayed. With support from CERT-In, the case was finally confirmed closed on November 28, 2025, and publicly disclosed on February 13, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DavaIndia Pharmacy)