It does reveal to the person you have mutual friends with, who those mutual friends are, but I just can't see an obvious reason why this additional information should be broadcasted to everyone, even persons that are strangers to you and the person you share part of your friendslist with.
Edit: To clarify my standpoint I tested this on a friend of mine (person A), that hides his friendslist from everyone but his closest friends.
It just happens that I also befriended the persons best friend (person B), and therefore I tried to get the mutual friends between person A and B. What I received were 38 mutual friends, even though I can only see one mutual friend between myself person A.
That is clearly information that person A didn't intend to share with me, therefore there has to be a bug or stupidity on Facebooks side involved to uncover this information to me.
Even from the example link the post gives, I am neither friends with Mark Zuckerberg (who has a private list) nor Chris Hughes (who has a public friends list). In this instance I have not had to befriend anyone!
And given that FB has a history of just changing the default security for things without telling anyone, or making the defaults fully open/public, this is a little worrying!
It seems like this could be pretty easily fixed by just not allowing arbitrary usernames in the "and" parameter and instead using the currently logged in user.
It wouldn't fix everything, but it would mean you at least need to befriend someone in their network before being able to use this attack.
The goal of Facebook for users is building a social network and on the corporate side leveraging that social network for monetary gains. Mutual friends lowers the barrier to connecting the social graph.
What I have a problem with is that they gave users a tool to manage and hide certain connections, even though anyone could potentially circumvent that.
My position is that the service should work as expected.
Either you give your users the means to hide connections, and consequently prevent hacks like this, or you remove that feature and every user will know that this information is public to all your friends.
Everything in between is just wrong, because it breaks your users expectations, you've got to be clear about what your service does.
Also, I want to be clear that I don't think that Facebook is intentionally doing something evil, it's just a big corporation with lots of different people making decisions. That could happen anywhere.
Edit: To clarify my standpoint I tested this on a friend of mine (person A), that hides his friendslist from everyone but his closest friends.
It just happens that I also befriended the persons best friend (person B), and therefore I tried to get the mutual friends between person A and B. What I received were 38 mutual friends, even though I can only see one mutual friend between myself person A.
That is clearly information that person A didn't intend to share with me, therefore there has to be a bug or stupidity on Facebooks side involved to uncover this information to me.