Then I searched how to insert scripts in iframes and call them. It was very easy than I thought it would be. I can change anything in that page. Then I changed srcto Facebook and nothing showed up and same happened with Google. After searching about this, I found out that they set x-frame-optionsto denyin their header response. The DOM people have no power over manipulation of response header.
Browsers implement this thing in order to prevent the attacks I was trying to do. The famous attack using this is Clickjacking, in which the hacker or spammer shows the original website under the transparent layer of its own. The user actually clicks the transparent layer of the website but not the legitimate website in iframe and thus running the hacker’s script. Facebook has been a big victim of it, the attack is known as Likejacking. I didn’t research on it more but they have implemented a double-check process which is not much reliable. So, your security is more on your common sense.
Conclusion is that you can’t breach Google’s security but can hack other websites which do not use x-frame-options in their header response. Better use it in your website.
For any help on trying it out, mail us at firstname.lastname@example.org
PS: This is totally an educational post and is intended for letting people know about Clickjacking attacks.