Even if it didn't outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren't generated with a secure random number generator, or the validation call isn't resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.

[–] no_username@lemm.ee 34 points 22 hours ago (1 children)

what if 435841 is the most secure 6 digit numerical code?

why use another?

[–] Valmond@lemmy.world 13 points 22 hours ago (2 children)

I use the random number 4, I even rolled a dice to get a real random number instead of those "pseudo" random numbers. (XKCD?)

[–] pleasejustdie@lemmy.world 3 points 13 hours ago (1 children)

This goes back even further, Randall is referencing the ps3 security, that has a constant instead of a random number. That allowed failOverflow to remove one variable and reverse the private key to sign ps3 apps.

[–] Valmond@lemmy.world 1 points 2 hours ago

The hitech world was crazy back then, I programmed the DS with some similar hack made by some dude on the internet. Fun times.

[–] MHLoppy@fedia.io 13 points 21 hours ago

https://xkcd.com/221/

[–] isVeryLoud@lemmy.ca 2 points 13 hours ago* (last edited 13 hours ago)

The code is sent as part of a payload to the front-end for local validation

[–] ouRKaoS@lemmy.today 11 points 23 hours ago (1 children)

It probably just always displays the one code.

[–] sqgl@sh.itjust.works 1 points 2 hours ago

Maximized efficiency at the expense of security. Can happen to anyone.

[–] DragonTypeWyvern@midwest.social 3 points 23 hours ago

Yep. There's going to be some absolutely massive breach at some point that hurts a lot of people.