DavaIndia API flaw exposed customer orders, PII via unauthenticated super admin access. Fixed after responsible disclosure.

Continue reading
The vulnerabilities inherent in rapidly digitizing sectors, a significant security lapse at DavaIndia Pharmacy, one of India's largest and fastest-growing pharmacy chains, recently exposed sensitive customer data and granted external actors potential "super admin" control over its core systems. The incident, first reported by TechCrunch, underscores the acute risks when backend administrative interfaces—the digital keys to the kingdom—are left unguarded.
The flaw was uncovered by security researcher Eaton Zveare, who identified a critical vulnerability rooted in the pharmacy chain's implementation of its administrative Application Programming Interfaces (APIs) . Specifically, these "super admin" APIs were found to be insecure, meaning they did not require any form of user authentication or authorization for access.
| Aspect of Vulnerability | Technical Description & Impact |
|---|---|
| Root Cause | Insecure, unauthenticated "super admin" APIs on the DavaIndia website. |
| Exploitation Method | An unauthenticated user could directly interact with these APIs to create new accounts with the highest level of platform privileges. |
| Resulting Access Level | Full "super admin" control, granting the ability to modify backend settings, view all data, and alter core business logic. |
With this level of access, a malicious actor would not merely be a guest; they would be an omnipotent administrator. The vulnerability stemmed not from a complex injection attack, but from a fundamental oversight in access control—a failure to ensure that the interfaces designed for internal management were not exposed and accessible to the public internet without proper checks.
The access potentially granted a window into the operations of a significant portion of DavaIndia's network. According to Zveare's findings shared with Indian cybersecurity authorities (CERT-In), the exposed systems provided oversight of 883 stores. The exposure is understood to have revealed approximately 17,000 online orders, a dataset that, while potentially a snapshot, was highly sensitive in nature.
The exposed data and controls can be categorized as follows:
The core of the exposure involved Personally Identifiable Information (PII) inextricably linked to health-related purchases. For each exposed order, a malicious actor could view:
As Zveare noted, the pharmacy context heightens the sensitivity: "the products being purchased could be considered private and even embarrassing for some people." This confluence of identity and health data creates a potent privacy risk, potentially revealing diagnoses, chronic conditions, or other sensitive health details.
Beyond data theft, the "super admin" access enabled an attacker to manipulate the platform's core functions. This represents a significant integrity and availability risk:
The timeline of events, as reported, raises questions about the speed of coordinated disclosure and remediation.
Importantly, the researcher stated that there was no evidence the flaw was exploited maliciously before it was patched. However, the duration for which the systems were exposed (potentially nearly a year) remains a point of concern.
DavaIndia data exposure is a potent illustration of how foundational security lapses—like an unauthenticated API—can compromise the entire digital operations of a major enterprise. For a company entrusted with some of the most private information about individuals, the failure represents a serious lapse in fiduciary duty. While the prompt fix prevented known malicious exploitation, the incident will likely have lasting consequences for customer trust and regulatory compliance as India's digital health sector continues its rapid evolution.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation