From the article...
In MtGoxs case, it appears that what happened is that the site was expecting transactions to show up in the public ledger under the specific transaction ID it had recorded. When those transactions didnt show up because the thief had edited the ID the thief could then complain that the transaction had failed, and the system would automatically retry, initiating a second transaction and sending out more bitcoins.Transaction malleability is a flaw in bitcoin itself, and its not MtGoxs fault that transactions can be renamed in this way. But its also a flaw which has been known about since 2011, and one which can be rendered harmless with software which accurately reports balances and transactions.
Hold on a second. It sounds like you are saying the thieves took possession of the first Bitcoins that were sent, said they didn’t get them and Mt Gox sent more. Is that right?
If so, no Bitcoin was owned by two people.
How is that different from someone buying something online with a Visa and then calling up Visa saying “I dispute the charges. The item was never mailed to me” and having Visa withhold payment from the merchant? It happens all the time.
When constructing a transaction, coins (transaction outputs in Bitcoin parlance) are gathered together from the sending account to cover the amount needed. When the transaction is confirmed, these coins can never be spent again. If they appear in another transaction, they will be recognized as spent and the new transaction is rejected. As your referenced article points out (just after the quoted section), MTGox sent out additional bitcoin, not the same coin.
The article correctly describes the malleability problem, and makes it clear that MTGox had to have been excessively lax on accounting procedures to allow this to go on for any length of time. I would add that it was MTGox's responsibility as an exchange software developer to understand and properly deal with the Bitcoin system. As the article points out transaction malleability was a known issue in 2011 (May of that year). MTGox had plenty of time to address the issue in their system. If they had been watching their accounts with any diligence, they would have known they had a problem and should have dealt with it then.