When it tries to access public websites, the Tor network has one big security flaw; despite the fact that the nodes between your computer and the public internet can’t see where the traffic is coming from and going to, the exit node (the final hop in the network) will know what webserver will you be connecting to.
If the “final hop” is not protected via HTTPS encryption then the exit node will know pretty much about your Tor use, which took place between the webserver and you. The exit node, in this case, can see what you send and what you receive, and it can interfere with the connection (for example, it can upload a malicious code that exploits bugs in your browser in order to take it over). In the instance, your session includes identifying information (cookies, such as, a login and password) then the one who is running a spy exit node can reveal your identity without directly interfering in your session. The problem was pretty big when HTTPS