A security researcher spent a month to find bad TOR exit nodes by setting up a honeypot kind of website which has a fake login page – To find the nodes that sniffs the traffic and attempts to steal the password.

Tor protects its users by bouncing their communications around a distributed network of relays runs by volunteers all around the world.

Chloe wrote in a blog, “A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that’s the case I know which node that was sniffing the traffic.”

According to the researcher, he bought a domain with a tempting name (such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and set up a simple login.

He used a simple login script that allowed any password ending wiht “sbtc”.  He created a random password ending with “sbtc” (eg:d25799f05fsbtc) and used it via tor nodes.

The script also saves the login attempts and successful logins in a file with user agent, IP and time – This will help him to find the bad nodes.

“The results are not so surprising, but what is most surprising about this is that 2 nodes with the ‘guard’ flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor.” Researcher said in his blog.

He released the result of the test; He tested more than 130k Exit nodes within 32 days. He found that there were 12 failed-login attempts, 16 successful logins that had not come from the researcher.