The development release has been unpublished due to the following security concerns:

Module: Ajaxified Friends (friends)
Version: 6.x-6.x-dev
Platform: ArchLinux / Apache / MySQL

Two different problems:
1) Visiting ?q=friends/search4friends will display all information that is
in profile field 1 or 2 (that is, where fid is 1 or 2,) regardless of whether
"Hidden profile field, only accessible by administrators, modules and
themes." is selected or not.

2) ?q=friends/search4friends does not do any xss filtering. Any data
placed inside profile fid 1 or 2 will be directly inserted into the
rendered page. For instance, if <script src='evil.js'></script> were
to be placed in the a profile field with a fid of 1 or two then the
resultant webpage would read <div id="friends_show_box"><script src='evil.js'></script></div>.