The dust hadn’t even settled on the situation with MAX tracking VPN usage when something else happened. It was unexpectedly discovered that all images from conversations in the national messenger are accessible to everyone simply via a direct link without any authentication. You don’t even need to have a MAX account for this. We verified it — it actually works.

This isn’t clickbait. Your photos can actually be viewed via a link

The information that MAX stores photos in an open format originally appeared in a Telegram channel. We wanted to check whether it was true, and it turned out that yes, it is.

What’s the Problem With File Storage in MAX

MAX stores sent files on servers with open links without checking whether you’re logged into an account. That means any image you sent in a conversation or saved to “Favorites” is stored in an unencrypted form and accessible via a direct link. Anyone who has the link can open it.

Moreover, this likely makes it possible to write a script that would parse such links and crawl neighboring chats, extracting images that it shouldn’t have access to.

But that’s not all. There’s another detail that makes the situation even more unpleasant: if you delete a photo from a conversation, it still remains accessible via the same link. In other words, deleting in the app does not equal deleting from the server.

How to View MAX Photos via Link — Step-by-Step Guide

To verify this, you need a computer with any browser. Here’s how it’s done:

  1. Open the web version of MAX and log into your account.
  2. Find any photo in a conversation or send something to “Favorites.”
  3. Press Ctrl+Shift+C — the developer tools will open.
  4. Click on the image in the chat — a tag with the file address will be highlighted in the page code.
  5. Copy the address — it starts with https://i.oneme.ru/.
  6. Open a new tab in incognito mode and paste the address.

Here’s a screenshot of homework for my daughter accessible via the link

The photo will open. Without logging into an account. Now try deleting this photo from the conversation and opening the same link again — it will continue to work.

What This Means for You and What to Do Now

For most users, this means one thing: all photos ever sent through MAX are potentially accessible via direct links — if someone intercepted or copied them. This is especially important to remember for those who sent documents through MAX, personal photos, or anything not intended for outsiders.

VK has not yet commented on the situation. So until the situation is clarified, here are a few simple steps to help protect yourself:

  • Don’t send documents or photos through MAX that shouldn’t fall into the wrong hands.
  • Deleting messages doesn’t guarantee that the file will disappear from the servers.
  • If you need privacy — use messengers with full encryption: for example, Telegram with secret chats.

Interestingly, many years ago in the 2010s, VKontakte had exactly the same problem, when you could access closed photo albums of users who weren’t even on your friends list through URLs. Apparently, MAX was developed by the same people.