Even if it didn’t outright display the code you need to enter, my guess is this and similar implementations hide further vulnerabilities like: the numbers aren’t generated with a secure random number generator, or the validation call isn’t resistant to simple brute force quickly guessing every possible number, or the number is known client side for validation, etc.