When it tries to access public websites, the Tor network has one big security flaw; despite the fact that the nodes between your computer and the public internet can’t see where the traffic is coming from and going to, the exit node (the final hop in the network) will know what webserver will you be connecting to.
If the “final hop” is not protected via HTTPS encryption then the exit node will know pretty much about your Tor use, which took place between the webserver and you. The exit node, in this case, can see what you send and what you receive, and it can interfere with the connection (for example, it can upload a malicious code that exploits bugs in your browser in order to take it over). In the instance, your session includes identifying information (cookies, such as, a login and password) then the one who is running a spy exit node can reveal your identity without directly interfering in your session. The problem was pretty big when HTTPS connections were rarer, although, now, thanks to the Snowden revelations and projects like Let’s Encrypt, most of the internet is encrypted by default. This can make the big problem to a small one; the spying exit node will only be able to see what webserver will you be connecting to, however, not which page, will not be able to inject code into your session and will not be able to see the data going to and from the server.
Exit nodes are quite rare nowadays. The reason is the fact that many of the people who were running exit nodes were harassed by law enforcement authorities. However, there were also many cases where the “node runners” contacted police first, explained their function and authorities thanked them and left them alone.
The lack of exit nodes gives a new meaning to spy nodes: if you are running a spying exit node you can see most of the Tor traffic that goes to and from the public internet. It is a fact that many governments, including the Chinese government, are running high-availability exit nodes that track and log all the traffic they can see.
Hidden services could easily solve the issue of spying exit nodes. These servers have no public internet address, they are accessed directly through the Tor network without traffic ever being routed through an exit node. Since all the traffic takes place in the Tor network, without the intermediate nodes ever getting access to decrypted information, the sessions are considered very secure. Illegal dark web marketplaces, such as The Silk Road, were hosted as hidden services and many of these sites maintain hidden service versions of their public offerings. For example, Facebook can be accessed on the Tor network via its onion address that resolves to a machine in one of Facebook’s data centers in Oregon, which is then bridged into the rest of Facebook’s system. By accessing Facebook via a Tor hidden service, no one can see that you have visited Facebook at all, which results in the bypassing of censoring firewalls, like the ones used by schools, employers and governments.
The nodes discovered by the researchers at Northeastern University (ordinary nodes, not exit nodes) sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. The nodes then attacked the hidden services by making connections to them and trying common exploits against the server software running on them, seeking to compromise and take them over.
The attacking spy nodes were already a problem for the Tor Project. They had recently undertaken a re-architecting of the hidden service system that would prevent the attacks from taking place. It is unknown who is running these nodes, they could be run by cybercriminals, governments, private suppliers of “infowar” weapons to governments, independent researchers, or other researchers.
“We create what we call ‘honey onions’ or ‘honions.’ These are onion addresses that we don’t share with anyone,” Noubir, one of the researchers, said. “If someone visits the sites, it’s a good indication that their service has been picked up by a malicious HSDir.” Sanatinia, another researcher made this statement:
“They’re looking for vulnerabilities in the web server. Those attackers might look for cross-site scripting attacks, SQL-injection vulnerabilities, or just try to find the server’s status page, which can reveal lots of interesting, and potentially identifying, information about the site.”