It affected those 3rd-party applications that used "Sign in with Apple" without implementing their own additional security measures
A full account takeover of user accounts was possible on these 3rd-party applications irrespective of whether victim had a valid Apple ID or not
Do not trust external entities
Implement server-side authorisation checks to identify and block unauthorised requests from non-privileged user accounts
"Amazon Cognito supports unauthenticated identities. If your application allows customers to use the application without logging in, you can enable access for unauthenticated identities."
Each AWS Cognito identity pool that is configured with an unauthenticated role could potentially be vulnerable to breaches affecting least privilege principle, allowing unauthorised users access to potentially sensitive and private information stored in AWS services
Always follow the least privilege principle when configuring IAM roles, i.e., each AWS Cognito role should have the smallest set of AWS permissions required to perform respective user actions
If you hit a rate limit, it's expected that you back off from making requests and try again later when you're permitted to do so. Failure to do so may result in the banning of your app.
X-RateLimit-Reset response header was missing
X-RateLimit-Remaining response header was getting reset to higher value unexpectedly
Implement API rate limiting checks effectively so that brute force attacks could be prevented
Do not ship sensitive files in app bundles