India's Biggest Pharmacy Reveals A significant flaw in a Zota Healthcare division's platform exposed private client and internal system information because of unsafe "super admin" APIs This article explores super admin apis. . Anyone could create a privileged super admin account and take complete control of the pharmacy's backend systems thanks to the flaw that Eaton-Works discovered.

Dava India, the largest private generic pharmacy retail chain in India with over 2,100 locations, offers a mobile app and an online platform for buying medications. Make your own Super Admin (eaton-works is the source). Super Admin Access Without Permission Nevertheless, Eaton-Works discovered that there were no authentication checks in the website's backend APIs.

It was feasible to establish a super admin user account and change its password by interacting with these endpoints, which gave the administrator access to the whole system. Access to store information, product management features, and customer orders were among the exposed capabilities. Eaton-Works claims that hackers could have accessed data from almost 17,000 customer orders placed in 883 locations.

Exposure of private client data (Source: Eaton-Works) Additionally, super admins have the ability to modify or remove more than 1,500 products, alter prices, disable prescription requirements, and create unique coupons, such as a "100% off" coupon. The possibility of content manipulation was increased by the panel's control over website display features like YouTube video embeds and sponsored content. In essence, almost every aspect of the business's internet presence could have been changed by an attacker.

On August 20, 2025, the vulnerability was reported to the Computer Emergency Response Team (CERT-IN) in India. About a month later, Dava India fixed the problem. But it wasn't until late November 2025 that the company provided official confirmation.

On February 13, 2026, the researcher made the disclosure public, which was their first discovery in the medical field. Eaton-Works verified that the vulnerability was fixed prior to any known exploitation and that no personal information was taken. Customers who made in-store purchases were unaffected by the vulnerability; it only affected the online systems. In healthcare and retail platforms, where administrative access frequently exposes sensitive customer and operational data, this incident emphasizes the serious risks of insecure API design.

For daily cybersecurity updates, check out LinkedIn and X.

To have your stories featured, get in touch with us.