All attachments can be viewed by anyone that is logged in very easily, including images uploaded in conversations.
I know conversations are not "private" as such, but let's be honest, they are meant to be "private" and their function is to provide a "private" area for personal conversations.
To the user, conversations are private is what I am saying.
Now yes, on any site I use I would expect even my personal messages, private messages and personal conversations whatever you wanna call them, to monitored by admins/mods at some point, I would consider that fair practice even if I was uploading personal images of any nature to an assumed/applied, maybe not disclosed as private message thread/conversation, but never-the-less, messages of this kind are considered private, so if I upload an image that I only want my friend/family seeing, I wouldn't expect it to be easily viewed by anyone else. I don't mean admin/mods, I mean everyone else.
What alerted me to this problem was an attachment link in a notification e-mail.
I linked to image from within my e-mail and I noticed the url and wondered if changing the image number would display another image and..........................it does!
I don't have to change anything apart the number, so I could put www.mysite.com/forum_folder/attachments/anything-i-want-here-it-doesn't-matter-i-could-put-nothing-if-wanted-as-long-i-have-jpg.9 or whatever number I wanted.
This means, all images are accessible to anyone, at any time, even messages that are uploaded in conversations.
If someone was that way inclined, and let's be honest again, this is the internet, so there are weirdo's, creeps, perverts, trolls, etc everywhere and all they have to do is, sit there and go through each image one by one and have no trouble accessing them at all. If I wanted to, I could sit here right now and go through all the images that have been uploaded to xenforo, I could see everyone's conversation images without any trouble whatsoever. Luckily I have better things to do.
Considering there are probably a lot of sites that allow access to young teenagers and adults, it's alarming how easy it would be for someone to see any image that has been uploaded.
Again, I know it's not stated that conversations are private, but come on, everyone, as in, the average user, thinks that they are and if they wanted to share an image with with friends/family only, they would upload it in a conversation as oppose to the whole forum because they would assume it is a private thing.
Anyway, I know it's not a bug, but I think it definitely needs addressing somehow.