Tor protects its users by bouncing their communications around a distributed network of relays runs by volunteers all around the world.
Chloe wrote in a blog, “A few weeks ago I got the idea of testing how much sniffing is going on in the Tor network by setting up a phishing site where I login with unique password and then store them. I do this with every exit node there is and then see if a password has been used twice, if that's the case I know which node that was sniffing the traffic.”
According to the researcher, he bought a domain with a tempting name (such as bitcoinbuy) and then created a sub-domain(admin.) by using vhost and set up a simple login.
He used a simple login script that allowed any password ending wiht "sbtc". He created a random password ending with "sbtc" (eg:d25799f05fsbtc) and used it via tor nodes.
The script also saves the login attempts and successful logins in a file with user agent, IP and time - This will help him to find the bad nodes.
“The results are not so surprising, but what is most surprising about this is that 2 nodes with the 'guard' flag had logged in twice. Also, none of these nodes has been flagged even though I reported them to Tor.” Researcher said in his blog.He released the result of the test; He tested more than 130k Exit nodes within 32 days. He found that there were 12 failed-login attempts, 16 successful logins that had not come from the researcher.