A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could unmask the real identity of Onion Servers. The loophole was reported on Reddit and to the Tor Project months back, but it recently came to the limelight soon after a tweet by Alec Muffet, a well-known security enthusiast and current software engineer at Facebook. An Onion Website can be hosted on the top of any web servers, but, if you are choosing Apache, then you need to rethink. Most distributions of Apache Server. ship with mod_status module, enabled by default, which could disclose the. identity of the. Onion.onion domains.
Source: https://thehackernews.com/2016/02/apache-tor-service-unmask.html