Hidden iFrame Attacks

Q: Are iframes always dangerous?

No. Iframes are a standard HTML feature used legitimately by millions of websites. YouTube embeds, Google Maps, payment forms from Stripe — all use iframes. The danger comes from hidden iframes: ones with zero dimensions, off-screen positioning, or full transparency that load content you can't see. A visible iframe from a trusted source is perfectly normal.

Q: Can iframes steal my passwords?

An iframe itself can't directly read input from the parent page (browsers enforce same-origin policy). But hidden iframes enable attacks that lead to credential theft: clickjacking tricks you into clicking a login button in an invisible iframe, keylogging iframes can overlay transparent input fields on top of real ones, and credential-harvesting iframes can present fake login forms that appear to be part of the page.

Q: Do ad blockers stop hidden iframe attacks?

Ad blockers block iframes from known advertising and tracking domains, which catches some malicious iframes incidentally. But they don't detect hidden iframes from unknown or newly created domains, and they can't identify when a legitimate domain has been compromised to serve malicious iframe content. A dedicated browser security tool like PhishClean analyzes iframe properties (size, visibility, position) regardless of the source domain.

There's a 1×1 pixel iframe on this page. You can't see it. It's loading a login form from another domain, and it just recorded your keystrokes. That's the basic idea behind hidden iframe attacks — and the reason this is one of the most underestimated threats on the web.

(Don't worry — there isn't actually a hidden iframe on this page. But on thousands of compromised sites, there is.)

In 2024, researchers at Zscaler identified over 30,000 websites actively serving hidden iframes for clickjacking, credential theft, and cryptocurrency mining. Many had been compromised for weeks or months without the site owners knowing.

What Makes an iFrame "Hidden"?

An iframe is just an HTML element that embeds another web page inside the current page. You see them everywhere — YouTube videos, Google Maps, Stripe payment forms. That's all fine. The problem starts when an iframe is deliberately made invisible.

Here's what a hidden iframe looks like in the page source:

      <!-- Zero dimensions -->

      <iframe src="https://evil.com/harvest"

        width="0" height="0"

        style="border:none"></iframe>

      <!-- Off-screen positioning -->

      <iframe src="https://evil.com/mine"

        style="position:absolute;left:-9999px"></iframe>

      <!-- Full transparency -->

      <iframe src="https://evil.com/click"

        style="opacity:0;position:absolute;top:0;left:0;width:100%;height:100%"></iframe>

The last one is particularly nasty. It covers the entire page but is completely invisible. Every click you make on the "real" page is actually clicking on whatever is in that iframe.

What Attackers Use Hidden iFrames For

Clickjacking

A transparent iframe is layered over a page. When you click what you think is a "Play Video" button, you're actually clicking "Confirm Transfer" in a banking interface loaded inside the invisible iframe. Facebook's "Like" button was a classic clickjacking target for years.

Credential Harvesting

A hidden iframe loads a fake login form that overlays the real login fields on the page. You type your password thinking you're logging into the real site, but your keystrokes are going to the attacker's form in the invisible iframe.

Crypto Mining

A zero-dimension iframe loads a page running a cryptocurrency miner (like the now-defunct Coinhive). The mining code runs using your CPU, slowing down your computer while generating revenue for the attacker. You see nothing in the browser.

Ad Fraud

Hidden iframes load ad networks and "view" advertisements invisibly. The site owner (or the attacker, if the site is compromised) collects ad revenue from impressions that no human ever saw. This is a multi-billion dollar industry.

A Real Clickjacking Attack, Step by Step

Let's walk through how a clickjacking attack actually works. Say you're on a malicious page that shows a "Win a Free iPhone" button.

The attacker creates a page with a visible "Claim Prize" button positioned at specific coordinates.
An invisible iframe loads your bank's transfer confirmation page (you're already logged in from a previous session).
The iframe is positioned so that the "Confirm Transfer" button sits exactly on top of the visible "Claim Prize" button.
You click "Claim Prize." Your browser actually clicks "Confirm Transfer" inside the bank's iframe.
Because you're authenticated in the bank's session, the transfer goes through. Your cookies were sent with the iframe request.

The entire attack takes a single click. No malware, no phishing page, no stolen password needed — just an invisible iframe and a click on the wrong button.

The X-Frame-Options header and Content-Security-Policy: frame-ancestors directive let websites opt out of being framed. Banks and security-conscious sites set these headers. But many sites don't — and even when they do, misconfigurations leave gaps. The defense needs to work on both sides: the site preventing framing, and the browser detecting suspicious iframes.

Why Existing Defenses Fall Short

Hidden iframes occupy a blind spot in most security tools:

Ad blockers block iframes from known ad/tracker domains. But they won't catch iframes from fresh or compromised domains that aren't in any blocklist yet.
Browser built-in protections like Chrome's Safe Browsing flag known malicious URLs, but they don't analyze iframe properties like dimensions, opacity, or position.
Server-side headers (X-Frame-Options) prevent a site from being loaded in an iframe — but they only protect the framed site. They don't protect you from iframes injected into the page you're visiting.
CSP frame-ancestors is similar — it protects the framed content, not the page doing the framing.

The gap is clear: nothing in the standard security stack inspects iframes from the user's perspective and asks "Is this iframe trying to be invisible?"

How PhishClean Detects Hidden iFrames

PhishClean's Hidden iFrame Detection signal inspects every iframe on every page you visit. It checks for the patterns that indicate an iframe is deliberately hidden:

Zero or tiny dimensions — iframes with width/height of 0 or 1 pixel
Off-screen positioning — iframes positioned far outside the viewport with negative coordinates
Opacity tricks — iframes with opacity: 0 or visibility: hidden that still load active content
Full-page transparent overlays — the clickjacking setup where an iframe covers the entire page at zero opacity
Cross-origin sources — hidden iframes loading content from a different domain than the page you're on

Visible iframes from trusted sources (YouTube, Maps, payment processors) are ignored. PhishClean only flags iframes that are both hidden and loading suspicious content.

The entire analysis runs locally. Your browsing data stays on your device.

Related Threats

Formjacking

Injected scripts that steal form data — another invisible attack on legitimate sites.

SSL Stripping

Hidden iframes sometimes load HTTP content inside HTTPS pages, creating mixed-content vulnerabilities.

Phishing Attacks

Hidden iframes can load phishing forms that overlay real login pages.

PhishClean vs Safe Browsing

Chrome doesn't detect hidden iframes. See what 15 local detection signals cover.

Frequently Asked Questions

Are iframes always dangerous?

Not at all. Iframes are a standard HTML feature used legitimately across the web. YouTube embeds, Google Maps, Stripe payment forms — they all use iframes. The danger is specifically with hidden iframes: ones that have zero dimensions, are positioned off-screen, or are fully transparent. A visible iframe from a trusted source is perfectly fine.

Can iframes steal my passwords?

Not directly — browsers enforce same-origin policy, so an iframe from a different domain can't read what you type on the parent page. But hidden iframes enable indirect attacks: clickjacking tricks you into interacting with an invisible iframe, transparent iframes can overlay fake input fields on top of real ones, and credential-harvesting iframes can present login forms that look like they belong to the page.

Do ad blockers stop hidden iframe attacks?

They stop some. Ad blockers maintain lists of known advertising and tracking domains, so iframes from those domains get blocked. But they don't detect hidden iframes from new or unknown domains, and they can't identify when a legitimate domain has been compromised. PhishClean checks iframe properties (size, visibility, position) regardless of the source, catching what ad blockers miss.

See the iFrames You Can't See

PhishClean detects hidden iframes on every page — clickjacking overlays, zero-pixel trackers, and off-screen loaders. 3-day free trial, no credit card required.

Install PhishClean