I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window by prepending a NULL byte to a "javascript:..." string. This module automates loading and stealing HTML and cookies from cross-domain frames.

It was disclosed here few days ago: http://1337day.com/exploit/description/22581

I don't see a public advisory for this anywhere from the vendor. :(

Note: If the site you are trying to steal uses th...