Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.

[–] isVeryLoud@lemmy.ca 2 points 3 hours ago* (last edited 3 hours ago)

The code is sent as part of a payload to the front-end for local validation

[–] no_username@lemm.ee 28 points 12 hours ago (1 children)

what if 435841 is the most secure 6 digit numerical code?

why use another?

[–] Valmond@lemmy.world 13 points 12 hours ago (2 children)

I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)

[–] pleasejustdie@lemmy.world 2 points 3 hours ago

This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.

[–] MHLoppy@fedia.io 12 points 11 hours ago

https://xkcd.com/221/

[–] ouRKaoS@lemmy.today 10 points 13 hours ago

It probably just always displays the one code.

[–] DragonTypeWyvern@midwest.social 3 points 13 hours ago

Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.