"The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail outlets across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying insecure "super admin" application programming interfaces on DavaIndia's website and privately shared details with Indian cybersecurity authorities. The bug is now fixed, and Zveare disclosed his findings."
"With that level of access, an attacker could view thousands of online orders containing customer information, modify product listings and prices, create discount coupons, and change settings governing whether certain medicines required a prescription, the researcher said. Based on system timestamps, Zveare said the vulnerable administrative interfaces appeared to have been live since late 2024. The access exposed nearly 17,000 online orders and administrative controls spanning 883 stores, he said, allowing changes to product pricing, prescription requirements, and promotional discounts."
DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, had insecure super-admin APIs that allowed unauthenticated users to create high-privilege accounts. Security researcher Eaton Zveare identified the flaw, privately shared details with Indian cybersecurity authorities, and the vulnerability has been fixed. The vulnerable interfaces appeared live since late 2024 and exposed nearly 17,000 online orders and administrative controls across 883 stores. An attacker could view customer order data, modify product listings and prices, create discount coupons, change prescription requirements, and edit website content, creating risks of privacy breaches, pricing manipulation, and site defacement during rapid retail expansion.
Read at TechCrunch
Unable to calculate read time
Collection
[
|
...
]