Be careful what you Twitter — especially if you think the website will keep it secret for you. In 1999, Scott McNealy, then Sun's CEO, said, "You have zero privacy anyway. Get over it." Webheads have been diligently trying to prove him wrong since, with online tools that zealously guard our privacy. And yet they keep proving him right, with senseless coding errors which destroy the very privacy they try to protect. The latest example: Twitter. A Hungarian website, Webisztán, has found a simple exploit for Twitter.A feed of your friends' Twitter messages publicly lists all all messages, whether or not they're "protected." (Twitter users can choose to protect their messages so only designated "friends" can see them.) I decided to test the bug on some folks for whom privacy might be a fresh concern — two ringleaders of the infamous "Camp Cyprus" video, Facebook product manager Dave Morin, and Wall Street Journal reporter Jessica Vascellaro. Both participated in a seaside frolic in Cyprus with several other Internet-employed individuals, which has become a symbol of Web 2.0 excess. Vascellaro made her Twitter messages private after she got back from her Cyprus vacation, after rather indiscreetly Twittering several updates about the progress of the video. Sure enough, Morin's feed of messages from Twitter friends contains a private message broadcasted by Vascellaro only to her designated friends. Fortunately, it's just a notice that she's "in need of Halloween costume ideas," rather than an update about a story she's filing for the paper. To see anyone else's private, friends-only messages, pick one of the user's friends, and then substitute their user name in this URL:[USERNAME].xml

Here's a question: Will this bug get fixed more quickly, now that it's been shown to involve a Facebook employee and a Wall Street Journal reporter? Twitter what you think, or leave it in the comments.