I recall that. In this case, you have only A and B and yet, all of your secrets are in the hands of an attacker.

It's great start, but not nearly enough.

EDIT: right, when we bundle state with external Comms, we have all three indeed. I missed that too.

malisper 5 hours ago | parent | next [-]

Not exactly. Step E in the blog post:

> Gemini exfiltrates the data via the browser subagent: Gemini invokes a browser subagent per the prompt injection, instructing the subagent to open the dangerous URL that contains the user's credentials.

fulfills the requirements for being able to change external state

▲

ArcHound 5 hours ago | parent [-]

I disagree. No state "owned" by LLM changed, it only sent a request to the internet like any other.

EDIT: In other words, the LLM didn't change any state it has access to.

To stretch this further - clicking on search results changes the internal state of Google. Would you consider this ability of LLM to be state-changing? Where would you draw the line?

	▲	wingmanjd 5 hours ago \| parent \| next [-]
		[EDIT] I should have included the full C option: Change state or communicate externally. The ability to call `cat` and then read results would "activate" the C option in my opinion.
	▲	5 hours ago \| parent \| prev [-]
		[deleted]

▲

bartek_gdn 5 hours ago | parent | prev [-]

What do you mean? The last part in this case is also present, you can change external state by sending a request with the captured content.