Comment by malisper
3 days ago
Not exactly. Step E in the blog post:
> Gemini exfiltrates the data via the browser subagent: Gemini invokes a browser subagent per the prompt injection, instructing the subagent to open the dangerous URL that contains the user's credentials.
fulfills the requirements for being able to change external state
I disagree. No state "owned" by LLM changed, it only sent a request to the internet like any other.
EDIT: In other words, the LLM didn't change any state it has access to.
To stretch this further - clicking on search results changes the internal state of Google. Would you consider this ability of LLM to be state-changing? Where would you draw the line?
[EDIT]
I should have included the full C option:
Change state or communicate externally. The ability to call `cat` and then read results would "activate" the C option in my opinion.