Jakarta, Indonesia Sentinel — A user on Threads with the account name @mughu.id recently exposed a critical vulnerability in the Core Tax system or known as Coretax of Indonesia’s Directorate General of Taxes (DJP), part of the Ministry of Finance.
The flaw allows the creation of a Taxpayer Identification Number (NPWP) simply by using the Coretax API with Node.js, bypassing validation. Surprisingly, this method is reportedly faster than the official registration process through Core Tax system web platform.
“I’ve been struggling to register an NPWP for my family through the Coretax website—it’s nearly inaccessible. But then, I tried making a post request to the API using Node.js, and boom! It was done in a second!” @mughu.id shared in a post on Tuesday, February 4, 2025.
Two days earlier, @mughu.id conducted an experiment by registering an NPWP under the name “Test Bug” to see whether the system would validate the data. The result was alarming: the NPWP was successfully issued and sent via email, requiring only a valid national identification number (NIK), while other data fields remained unchecked.
“With just a valid NIK, everything else was left unverified, and the NPWP still got issued! I even used ‘Test Bug’ as the name,” the user revealed in their post.
In response, the Directorate General of Taxes acknowledged the issue. Dwi Astuti, DJP’s Director of Public Relations, confirmed that a team is addressing the security loophole.
Read Also:
“This matter is currently being handled by the relevant team,” Astuti stated.
She also urged taxpayers to register through alternative methods, such as contacting Kringpajak at 1500200, mailing completed registration forms to tax offices, or visiting the nearest tax office in person.
The incident raises concerns about the security and integrity of Indonesia’s tax registration system, potentially opening the door to fraudulent NPWP applications. While the government claims to be addressing the issue, cybersecurity experts emphasize the need for robust validation mechanisms and stricter security protocols to prevent future breaches.
(Becky)
