It is well known for years that a bitcoin transaction is malleable in many ways. One way is to pad some garbage in the signature. If this is done properly, the transaction is still valid. By malleability, however, you can't change the payer, payee, and the amount paid, so no one could steal others bitcoin in this way. Just like in the real world, spilling some coffee on a cheque won't invalidate it. The rightful payee will still get the money.

In the gox case, they mistakenly padded their transaction with garbage (dirt on a cheque). Although the transaction is still valid, many miners do not like garbage in transaction and refuse to confirm gox's translations. Therefore, some users try to remove the garbage (clean the cheque), and the transaction got confirmed. So the user is happy. However, as the transaction looks different now (without garbage, different hash), gox's stupid customized wallet can't realize that the transaction is already confirmed, and falsely think that the coin is unspent.