top | item 46049801

(no title)

malisper | 3 months ago

Not exactly. Step E in the blog post:

> Gemini exfiltrates the data via the browser subagent: Gemini invokes a browser subagent per the prompt injection, instructing the subagent to open the dangerous URL that contains the user's credentials.

fulfills the requirements for being able to change external state

discuss

ArcHound|3 months ago

I disagree. No state "owned" by LLM changed, it only sent a request to the internet like any other.

EDIT: In other words, the LLM didn't change any state it has access to.

To stretch this further - clicking on search results changes the internal state of Google. Would you consider this ability of LLM to be state-changing? Where would you draw the line?

wingmanjd|3 months ago

[EDIT]

I should have included the full C option:

Change state or communicate externally. The ability to call `cat` and then read results would "activate" the C option in my opinion.

unknown|3 months ago

[deleted]