Facebook: See friends of hidden profiles

Facebook's autocomplete-script for the friends search returns data it's not supposed to. Even hidden profiles's friends are revealed. All you need is the profiles uid, which is public.

<href="/ajax/poke_dialog.php?uid=*****">(...)</a>

The url of the buggy php script is:

http://www.facebook.com/ajax/typeahead_friends.php?u=*******&__a=1