Hacking a pharmacy to get free prescription drugs and more Eaton • Feb 13, 2026 Copy Link Share News coverage: TechCrunch Are you a concerned Dava India Pharmacy customer? See the FAQ at the bottom . Key Points / Summary Insecure super admin APIs on Dava India Pharmacy’s website made it possible to create a high-privileged super admin account. Super admins had complete control over the entire website and pharmacy backend, including access to: 883 stores Nearly 17,000 orders (customer information included) Edit more than 1,500 products, including the ability to change price and remove prescription requirements Create coupons, such as 100% off Change aspects of the website, like the YouTube videos displayed My first disclosure in the healthcare industry has arrived! Ever wondered what it would be like to gain administrative access to a major pharmacy? You’re about to find out. The target was Dava Industry Pharmacy , a division of Zota Healthcare . If you are in the US, you probably haven’t heard of them, but those in India probably will have since they have 2,100+ stores and they claim they are “ India’s largest private generic pharmacy retail chain “. The primary function of the website is to sell you generic medicine. You create an account and can then buy what you want and get it shipped. Some medicine requires a prescription, though. There is also an available iPhone and Android app. More information about Dava India Pharmacy can be found on their About Us page . Create your own Super Admin Creating a normal account to buy medicine is boring. Let’s create a super admin instead! I found an admin subdomain that presented a simple login: The site is developed using Next.js , so naturally there’s plenty of client-side JS to pick through. One part that stood out immediately was the forgot password code that mentioned super-admin APIs: As a test, I went to the endpoint in the browser and was presented with the list of super admin users! All without authenticating. At least they were smart enough to not include plaintext passwords in the response. This leak was a good first step but did not immediately provide a gateway into the site. As a next step, I wanted to see if I could create my own super admin account. Instead of a GET request to get all the users, I set up a POST to see what would happen. There was no code on the website to create a super admin that I could find, so this was a true blind test. The response indicated that it was a supported operation, but I did not form the request correctly. Since there was no example request/code to create a super admin account, the fact that the response told me what was missing was incredibly helpful. Adding in the missing fields one-by-one, I eventually formed a successful request: I then had to use the password reset function to set a password: And I was in! Super Admin Highlights What could the super admin do? Basically everything. Let’s cover some of the highlights. Stores – Dava India claims to have 2,100+ stores, but only 883 are shown here. Maybe these are the only ones set up for online ordering. You could edit the store details and even see details of the pharmacist assigned to it and their private PIN. Orders – you could see all the orders ever made and view personal information about the individual who placed the order. This person just ordered eye drops, but what if they ordered some Night Rider Premium Condoms or adult diapers ? Certainly many possibilities to embarrass someone. Products – there are more than 1,500 products available. You could edit all the details like name, description, and price. Inventory – view/modify the inventory numbers: Coupons – want to make a coupon to get 100% off? Not a problem! FREE DRUGS 4 ME Let’s (try) to get some free drugs! Here is a product that looks fun : It’s got what men crave I added a few to my cart because I needed all the support I could get: Using the Coupons panel, I created a 100% off coupon that would only work for a specific email: When I went to place the order, there it was: The coupon code was applied successfully, and the entire order was made free besides some platform fee. This was enough to prove it would work, so the order was not submitted, and the coupon was deleted. You don’t need my prescription Some items require a prescription to purchase. This is controlled by a toggle: If you wanted to buy something that would require a prescription, you could in theory toggle this off and then submit your order. This was not tested, but it is highly likely it would have worked. Sponsoring a Rick Roll There is one more part of the admin panel worth mentioning: Sponsor Settings. This controls the videos that are shown on the website. For example, this is a video that was shown on the homepage: And this is where you would control the video shown: Imagine replacing it with the infamous Rick Roll video . It would certainly make for some laughs, but it was not attempted . Timeline Special thanks to India’s Com...