Hacking a pharmacy to get free prescription drugs and more

Eaton β€’

News coverage:

Are you a concerned Dava India Pharmacy customer? See the FAQ at the bottom.

Key Points / Summary

My first disclosure in the healthcare industry has arrived! Ever wondered what it would be like to gain administrative access to a major pharmacy? You’re about to find out.

The target was Dava Industry Pharmacy, a division of Zota Healthcare. If you are in the US, you probably haven’t heard of them, but those in India probably will have since they have 2,100+ stores and they claim they are “India’s largest private generic pharmacy retail chain“.

The primary function of the website is to sell you generic medicine. You create an account and can then buy what you want and get it shipped. Some medicine requires a prescription, though. There is also an available iPhone and Android app.

More information about Dava India Pharmacy can be found on their About Us page.

Create your own Super Admin

Creating a normal account to buy medicine is boring. Let’s create a super admin instead!

I found an admin subdomain that presented a simple login:

The site is developed using Next.js, so naturally there’s plenty of client-side JS to pick through. One part that stood out immediately was the forgot password code that mentioned super-admin APIs:

As a test, I went to the endpoint in the browser and was presented with the list of super admin users! All without authenticating.

At least they were smart enough to not include plaintext passwords in the response.

This leak was a good first step but did not immediately provide a gateway into the site.

As a next step, I wanted to see if I could create my own super admin account. Instead of a GET request to get all the users, I set up a POST to see what would happen. There was no code on the website to create a super admin that I could find, so this was a true blind test.

The response indicated that it was a supported operation, but I did not form the request correctly. Since there was no example request/code to create a super admin account, the fact that the response told me what was missing was incredibly helpful. Adding in the missing fields one-by-one, I eventually formed a successful request:

I then had to use the password reset function to set a password:

And I was in!

Super Admin Highlights

What could the super admin do? Basically everything. Let’s cover some of the highlights.

Stores – Dava India claims to have 2,100+ stores, but only 883 are shown here. Maybe these are the only ones set up for online ordering. You could edit the store details and even see details of the pharmacist assigned to it and their private PIN.

Orders – you could see all the orders ever made and view personal information about the individual who placed the order. This person just ordered eye drops, but what if they ordered some Night Rider Premium Condoms or adult diapers? Certainly many possibilities to embarrass someone.

Products – there are more than 1,500 products available. You could edit all the details like name, description, and price.

Inventory – view/modify the inventory numbers:

Coupons – want to make a coupon to get 100% off? Not a problem!

FREE DRUGS 4 ME

Let’s (try) to get some free drugs! Here is a product that looks fun:

It’s got what men crave

I added a few to my cart because I needed all the support I could get:

Using the Coupons panel, I created a 100% off coupon that would only work for a specific email:

When I went to place the order, there it was:

The coupon code was applied successfully, and the entire order was made free besides some platform fee. This was enough to prove it would work, so the order was not submitted, and the coupon was deleted.

You don’t need my prescription

Some items require a prescription to purchase. This is controlled by a toggle:

If you wanted to buy something that would require a prescription, you could in theory toggle this off and then submit your order. This was not tested, but it is highly likely it would have worked.

Sponsoring a Rick Roll

There is one more part of the admin panel worth mentioning: Sponsor Settings. This controls the videos that are shown on the website. For example, this is a video that was shown on the homepage:

And this is where you would control the video shown:

Imagine replacing it with the infamous Rick Roll video. It would certainly make for some laughs, but it was not attempted.

Timeline

Special thanks to India’s Computer Emergency Response Team (CERT-IN) for working with me on this disclosure.

Dava India fixed the issue in a little under a month, but for some reason, took their time in confirming that to CERT-IN.

Unofficial FAQ for Dava India Pharmacy customers

If you have an account with Dava India Pharmacy and are concerned, hopefully this FAQ will help answer any questions you have.

Q: Was my data leaked?
A: No, the security vulnerabilities were fixed before this could happen.

Q: Do I need to reset my password or request a new credit card?
A: No

Q: Can you help me get free drugs or any discounts?
A: No

Q: If I purchased in-store, am I affected?
A: This is only believed to have impacted orders made online.

Q: When did this happen?
A: The vulnerability was reported to Dava India on/around August 20, 2025 and resolved on/around September 16, 2025. It is likely the vulnerability existed for some time before August, though.

Further questions or concerns should be directed to Dava India.

Subscribe to new posts

Get an email notification every time something new is published.
πŸ“§