It would have prevented requests from an authenticated browser (without a mobile UA) from being accepted, reducing the effectiveness of the attack.