Customer personal information and backend systems were exposed due to a serious security breach at Dava India, one of the largest generic pharmacy retail chains in the nation and a Zota Healthcare subsidiary This article explores super admin apis. . In August 2025, security researcher Eaton discovered the problem, exposing an open API endpoint on the business's website that completely circumvented authentication.

The site's "forgot password" feature, which made explicit reference to super-admin APIs, was the hiding place for the vulnerability. A full list of super admin users was retrieved by querying these endpoints without any checks. Attackers could create a straightforward POST request to create new super admin accounts while passwords remained hashed, giving them complete control over the pharmacy's management dashboard.

Details of the Impact Category Exposure of Data PINs for pharmacists, personal information, and more than 17,000 customer orders Control System Complete Super Admin access through an unsecure API Manipulation of Products Editing more than 1,500 products, altering prices, and eliminating prescription requirements Risk to Finances Making coupons that are 100% off and increasing the risk of theft Risk in Operations Inventory management and 883 store profiles are available. Names, addresses, phone numbers, and pharmacist PINs were made public by this breach, which also gave access to 883 store profiles and more than 17,000 customer orders. By changing prices, descriptions, or even turning off "prescription required" flags on controlled substances, attackers were able to modify over 1,500 products.

Eaton demonstrated this by turning off the setting, allowing orders for sensitive drugs to be placed without restrictions.

Financial sabotage was also a major concern: in tests, the system allowed administrators to create coupons with a 100% discount, reducing order totals to zero. Operational risks also included "Sponsor Settings," where YouTube videos from homepages could be substituted for phishing or defacement. Although there was no ransomware or data theft, there was a huge risk of fraud, privacy violations, and regulatory repercussions.

In August 2025, Eaton informed India's CERT-IN about the defect. Although it was patched by mid-September, Dava India didn't formally confirm it until late November. The fix ensures proper authentication and prevents the creation of unauthorized accounts. This incident highlights e-commerce API security flaws, particularly in healthcare platforms that handle private information.

Retail chains are required to perform frequent pentests, enforce stringent authentication, such as JWT or OAuth, and audit exposed endpoints.

Removing prescription gates puts pharmacies at risk for both public health and DPDP Act compliance in India. Make ZeroOwl your Google Preferred Source.