Transactions are malleable. Deal with it. If a transaction is observed on the network that has the same input outpoints and the same outputs, it is the same transaction, and mtgox should treat it as such. This is a simple check to do, and trivial to automate.
The trivial fix it to use the hash which is used for signing as a transaction identifier. Should be fine for all standard transactions.
that would not spot modifications e.g. through removing/altering an unused push from script
The goal isn't to "spot modifications", the goal is to check if transaction was included into a block.
Generally speaking, attacker can only modify scriptSig(s), so if you compute hash of a transaction without scriptSig(s) (like how it is done for signing purposed), that hash will be unique: if you spot transaction with that hash in blockchain then transaction was successful.
.
The simple solution is to know what coins (UTXO) one owns and recognize if they are spend no matter with what hash.
Yes, but what I described above can be a drop-in replacement in a gox-like system: simply use a different hash as a txid.
But, yeah, whatever...