A critical vulnerability in Dava India Pharmacy's super admin APIs exposed sensitive customer data and allowed unauthorized access to prescription drug controls, highlighting the urgent need for robust API security in healthcare.
The intersection of healthcare and technology has always been a sensitive area, but when security vulnerabilities meet prescription drug systems, the consequences can be particularly alarming. A recent security discovery at Dava India Pharmacy, one of India's largest private generic pharmacy retail chains with over 2,100 stores, has exposed critical weaknesses in how pharmaceutical companies handle administrative access and API security.
The vulnerability, discovered by security researcher Eaton, centered on severely insecure super admin APIs that allowed unauthorized creation of high-privileged accounts. What makes this case particularly concerning is not just the technical flaw itself, but the breadth of access that such an account would provide and the potential for real-world harm.
The Anatomy of a Critical Vulnerability
The security flaw was rooted in the pharmacy's web infrastructure, which was built using Next.js. The researcher discovered that the forgot password functionality for super admin accounts inadvertently exposed an API endpoint that listed all super admin users without requiring authentication. While this initial discovery didn't immediately provide access credentials, it revealed the existence of administrative APIs that were not properly secured.
What followed was a methodical exploration of these APIs. By sending POST requests to the exposed endpoint, the researcher was able to determine that the system supported account creation operations. The API responses were surprisingly helpful, indicating exactly what information was missing from each request. This "helpful error messaging" inadvertently guided the researcher toward crafting a successful super admin account creation request.
Within minutes, a fully privileged super admin account was created, complete with access to the entire pharmacy backend system. The account creation process was so straightforward that it raises serious questions about the development and security practices employed by the organization.
The Scope of Administrative Control
Once inside the system with super admin privileges, the extent of control was staggering. The compromised account had access to:
- 883 pharmacy stores with detailed information about each location and assigned pharmacists
- Nearly 17,000 customer orders containing personal information and purchase histories
- Over 1,500 products that could be edited, including pricing and prescription requirements
- Inventory management systems allowing modification of stock levels
- Coupon creation tools enabling discounts of any percentage, including 100% off
- Website content controls including video content displayed to customers
The ability to modify prescription requirements was particularly troubling. Products that normally required a valid prescription could have their requirements toggled off, potentially allowing unauthorized access to controlled substances. While this specific scenario wasn't tested, the researcher noted it was "highly likely" to work given the other administrative capabilities demonstrated.
Real-World Exploitation Scenarios
The researcher conducted a proof-of-concept test that demonstrated the practical implications of this vulnerability. By creating a 100% off coupon code for a specific email address, they were able to successfully apply the discount to a test order. The system processed the coupon correctly, reducing the order total to just platform fees. This proved that the administrative capabilities weren't just theoretical—they could be used to obtain prescription medications at no cost.
The inventory and product management capabilities opened up additional exploitation vectors. An attacker could modify product prices, create bulk discounts, or even remove prescription requirements for controlled substances. The access to customer order histories also presented privacy violation opportunities, potentially exposing sensitive medical information and embarrassing purchase histories.
The Website Control Angle
Perhaps most interestingly, the super admin panel included controls for website content, specifically video content displayed on the homepage. The researcher noted that they could have replaced legitimate content with the infamous "Rick Roll" video, which would have been disruptive but relatively harmless compared to the other capabilities. This feature highlighted how administrative access extended beyond backend systems into customer-facing content, creating potential for reputational damage and customer confusion.
The Disclosure Timeline and Response
The vulnerability was reported to Dava India on August 20, 2025, with the company acknowledging receipt and promising to take action. The fix was deployed by September 16, 2025, representing a response time of under a month—a relatively quick turnaround for a critical security issue.
However, the disclosure process revealed concerning communication issues. Despite the vulnerability being fixed, Dava India took an unusually long time to confirm the resolution to India's Computer Emergency Response Team (CERT-IN). The researcher had to follow up multiple times between September and November 2025 before receiving confirmation that the issue was resolved. This delay in communication, even after the technical fix was implemented, raises questions about the company's incident response procedures and transparency.
Implications for Healthcare Security
This incident serves as a stark reminder of the critical importance of API security in healthcare applications. The fact that a simple administrative API endpoint could provide such comprehensive access to a pharmacy's operations demonstrates a fundamental failure in security architecture and access control design.
Healthcare organizations handle some of the most sensitive personal information imaginable, including medical histories, prescription records, and payment information. When security vulnerabilities in these systems are exploited, the consequences extend beyond typical data breaches—they can impact patient safety, medication access, and personal privacy in profound ways.
The Dava India case also highlights the importance of proper API design principles, including authentication requirements, authorization controls, and secure error messaging. The fact that the API helpfully indicated what information was missing from requests essentially provided a roadmap for exploitation, a common pitfall in API development.
Lessons for the Industry
This security incident offers several critical lessons for healthcare technology providers and organizations handling sensitive medical data:
API Security Must Be Foundational: Administrative APIs should never be accessible without proper authentication and authorization. The principle of least privilege should be strictly enforced, with administrative functions requiring multi-factor authentication and audit logging.
Error Messages Should Be Secure: While helpful error messages improve developer experience, they can also provide attackers with valuable information. Error responses should be informative enough for legitimate users but not detailed enough to aid exploitation attempts.
Regular Security Audits Are Essential: The fact that this vulnerability existed for an unknown period before discovery suggests that regular security assessments and penetration testing are crucial for healthcare applications.
Incident Response Planning Matters: The delay in confirming the fix to CERT-IN, despite the technical resolution, demonstrates that incident response plans should include clear communication protocols and timelines for stakeholder updates.
Healthcare Security Is Critical Infrastructure: As healthcare increasingly moves online, the security of pharmacy systems, telemedicine platforms, and medical record systems becomes critical infrastructure that requires the highest security standards.
Conclusion
The Dava India Pharmacy security vulnerability represents a significant failure in healthcare technology security, but it also serves as an important case study for the industry. The combination of exposed administrative APIs, insufficient access controls, and helpful error messaging created a perfect storm that could have allowed unauthorized access to prescription medications and sensitive customer data.
While the vulnerability was ultimately discovered and reported by a responsible security researcher, the incident underscores the need for healthcare organizations to prioritize security in their technology development and operations. In an era where digital health services are becoming increasingly common, the security of these systems is not just a technical concern—it's a matter of patient safety and privacy.
The Dava India case should serve as a wake-up call for the entire healthcare technology industry to reassess their security practices, particularly around API design and administrative access controls. As more healthcare services move online, the stakes for security failures will only continue to rise.
Comments
Please log in or register to join the discussion