One example that I have in there is Yo. Yo will automatically Yo someone on your behalf. So if an inline frame has yo://gepeto42 (basically), and you have Yo installed, I have just "de-anonymized" your Yo account as you browsed my website (or any page where I could inject that iframe). A good tip on where to find out about those is to buy Launch Center Pro and to extract the plist it has. This has info about hundreds of iOS apps and how their URL Schemes work.
I just did a talk during BSidesLV on the subject of URL Schemes and dangerous implementations.
For those who want all the details:
http://youtu.be/rJroherlZVo?t=1m33s
For those who want to skip explanations on how they work and see the bad examples, auto skipping about 10min:
http://youtu.be/rJroherlZVo?t=10m24s
One example that I have in there is Yo. Yo will automatically Yo someone on your behalf. So if an inline frame has yo://gepeto42 (basically), and you have Yo installed, I have just "de-anonymized" your Yo account as you browsed my website (or any page where I could inject that iframe). A good tip on where to find out about those is to buy Launch Center Pro and to extract the plist it has. This has info about hundreds of iOS apps and how their URL Schemes work.
Happy hunting.