What happened
A critical vulnerability in the online platform of Dava India, a division of Zota Healthcare, allowed attackers to create privileged super admin accounts and gain full control of backend systems. The issue, discovered by Eaton-Works, was caused by backend APIs that lacked authentication checks, enabling unauthorized users to reset admin credentials and access internal administrative functions. The exposure included customer order information, store details, and product management capabilities, affecting nearly 17,000 customer orders across 883 stores. Attackers with super admin access could also modify product listings, change pricing, disable prescription requirements, and generate promotional coupons. The vulnerability was reported to CERT-IN and later patched, and researchers confirmed no known personal data theft occurred before remediation.
Who is affected
Customers and operations of Dava India, particularly those using its online platform and mobile app, are affected, as exposed administrative access allowed visibility into customer orders and internal system management functions.
Why CISOs should care
The vulnerability demonstrates how insecure API authentication controls can expose sensitive customer and operational data while enabling attackers to manipulate core business systems and administrative functions.
3 practical actions
- Audit API authentication controls. Ensure administrative and backend endpoints enforce proper authentication and authorization checks.
- Review administrative account creation logs. Identify unauthorized privileged account creation or credential resets.
- Monitor system configuration changes. Detect unauthorized modifications to products, pricing, or system settings enabled through privileged access.