Tor hidden services are designed to conceal a website's real location and IP address, allowing operators to remain anonymous while serving content through the Tor network.
However, a new report from SOS Intelligence researcher Amir Hadzipasic shows that simple configuration mistakes continue to undermine those protections, exposing the infrastructure behind supposedly anonymous services.
The findings are based on data collected through SOS Intelligence's DARKSEARCH platform, which continuously crawls and indexes content hosted on Tor hidden services. According to the report, many de-anonymization opportunities stem not from weaknesses in Tor itself but from improperly configured web servers, applications, and supporting infrastructure.
One of the most common issues involves Apache's mod_status module. When exposed through the /server-status endpoint, the diagnostic tool can reveal hostnames, IP addresses, virtual host configurations, active connections, and software details. In some cases, this information can directly identify the server hosting a hidden service or provide enough clues for investigators to trace it through other data sources.
SOS Intelligence also found hidden services exposing PHP diagnostic pages created with the phpinfo() function. These pages can disclose server hostnames, directory paths, installed extensions, environment variables, software versions, and, in certain cases, the server's public IP address. Similar information leaks can occur when applications such as Laravel, Django, or Node.js are left running in development or debug mode, exposing stack traces and configuration details to visitors.
The report highlights SSL/TLS certificate reuse as another frequent operational security mistake. Some hidden service operators install certificates that are also used on clear web sites or contain identifying domain information. Because certificate details are publicly recorded in Certificate Transparency logs, researchers can sometimes link a .onion service to a conventional website or hosting infrastructure.
Beyond diagnostic pages and certificates, the researchers observed hidden services leaking information through default Apache and Nginx pages, verbose error messages, and HTTP response headers. These disclosures often reveal software versions, server technologies, and other technical details that can be correlated with internet-wide scanning platforms such as Shodan and Censys.
Exposed administration interfaces also remain common. Services such as phpMyAdmin, WordPress administration panels, and other management portals are sometimes unintentionally made accessible through Tor, creating additional opportunities to gather information about the underlying infrastructure.
Content hosted on hidden services can also undermine anonymity. Images may contain EXIF metadata revealing timestamps, software identifiers, usernames, or even GPS coordinates. In other cases, developers inadvertently leave references to clear web domains, external resources, or content delivery networks within page source code, providing additional attribution clues.
SOS Intelligence
The researcher notes that even seemingly minor disclosures can become valuable intelligence when combined with other information. A leaked hostname, certificate fingerprint, software version, or administrator username may be enough to narrow investigations and identify links between dark web services and real-world infrastructure.
According to Hadzipasic, these types of operational security failures have played a role in several major dark web investigations over the years. Rather than breaking Tor's cryptography or anonymity mechanisms, investigators often rely on exposed server information and configuration mistakes to identify hidden service operators.
To reduce the risk of exposure, SOS Intelligence recommends binding web servers exclusively to localhost, disabling diagnostic modules and debugging features, removing test pages before deployment, suppressing server signatures, stripping metadata from uploaded content, and isolating hidden services from public-facing infrastructure.
Leave a Reply