How could the transaction be changed without needing to be re-signed? I lack the technical knowledge to understand how what you describe is possible.
You don't touch the actual signature, but there are meta-data around it. In a recent version of the official bitcoin client the format of that meta-data has been tightened so the transaction data provided by MtGox is now being rejected by the latest official version. A hacker can then take the rejected raw txdata provided from MtGox, patch it and rebroadcast it. It will get through, but MtGox still thinks it is invalid and returns balance.
This do not make sense. Explain again.
In Bitcoin <0.8 The ECDSA signature was allowed to be padded with leading zeros, but in Bitcoin 0.8+ it is no longer allowed. MtGox sometimes issued transactions with leading zeros, and those transactions got stuck (because they were refused by the majority who are running Bitcoin 0.8+). However, MtGox published their failed transactions through an accessible API (
https://data.mtgox.com/api/0/bitcoin_tx.php, the signatures are now redacted). Therefore, you could apply withdrawals on purpose until you got a ECDSA signature with leading zeros. Then you take that transaction and remove the leading zeros and rebroadcast the (modified) transaction. This would now be accepted by the network but with a different transaction hash. MtGox however thinks that the transaction never gets through because it is listening for its own transaction hash. Finally MtGox gives up, cancels the transaction, and returns the funds to the customer. Rinse, lather and repeat. In theory you can empty MtGox BTC vault, but they were quick enough to see what was going on and cancelled BTC withdrawals. Now they have to fix their client to listen for malleable transactions.
