Citizen Lab said Chinese and English-language versions of UC Browser, developed by UCWeb Inc, made easily available to third parties personally identifiable information like location, search details and mobile subscriber and device numbers.
The transmission of this information "represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data", it said in a report.
Alibaba spokesman Bob Christie said the problems were immediately fixed and customers notified of an update to the browser after Citizen Lab brought the issues to Alibaba's attention in April.
"We take security very seriously and we do everything possible to protect our users," he said.
A UCWeb spokesman declined immediate comment.
Citizen Lab, based at the University of Toronto, said UC Browser had more than 500 million registered users and was the most popular web browser in China and India.
Citizen Lab said the Chinese version was more vulnerable and said that by installing and opening that version users exposed "a significant number" of personal identifiers and location information to third parties.
"By leaking a large volume of fine-grained data points to multiple network operators, the UC Browser app is increasing the risks to its users that such data may be used against them by authorities, criminals, or other third parties," it said.
Alibaba acquired UCWeb last June, in what was at the time the biggest merger in Chinese Internet history.
© Thomson Reuters 2015