Web push is a novel technology, supported by all major browsers, which has gained significant traction in the developer community thanks to its ability to engage users efficiently and anonymously. However, security researchers have yet to properly investigate the possible threats arising from its improper use. In this thesis, we explore the capabilities and features of web push, report common usage patterns found in the wild, including an analysis of the inner working of most third-party providers, and present a security analysis of such implementations. We demonstrate a novel history-sniffing attack abusing a common implementation mistake, and a dangerous use case of the well-known CSRF vulnerability.