Some Google Chrome apps have been disabled after they tracked users' data without their knowledge, it's claimed.
Detectify, a US security firm, says 12 apps including Emoji Input, Speakit and SuperBlock Adblocker were able to record people's browser history.
It also means they could get information on any sites set up using Facebook Connect or via shared links.
The extensions allow access to every site a person visits via default permissions in the apps.
A person's browsing data can then be sold on by a third party company.
"Some of these permissions are legit, needed by the extension to work," says Detectify on its website.
"But more often than not, the extensions are also embedding third party scripts which are gathering all your browser traffic."
Detectify says the Google Web Store has removed one of the apps, HoverZoom, used to zoom into images.
It says eight of the 12 listed Chrome extensions are now disabled and says "a few of the remaining extensions" have removed the tracking scripts used to see people's browser history.
Shared drives can sometimes also be accessed via the default permissions as well - although Dropbox Pro and Business users can lock links internally.
"For people using shared links on Dropbox or Google Drive, these tracking services are able to get access to all information shared," Detectify says.
"Many times you are sharing material that might be confidential, like a financial report or an internal contract or document.
"Through these analytics services, people can find these links to the documents and gain access to them without your knowledge or consent."
A similar problem was uncovered in Apple's App store by SourceDNA last month, involving private data being shared by an advertising firm.
Google has yet to comment.