wait a second - how the hell would this vulnerability allow withdrawing unlimited amount of bitcoins?
if you withdraw coins and dupe the TX with a wrong hash you are not getting double coins in any way and why would a marketplace then refund the customer? it doesn't make any sense.
if you deposit coins and dupe the TX with a wrong hash then you may see "unconfirmed" coins under your balance that will never get any confirmations.
explain me if I misunderstand anything here
It wouldn't. However in mtgox's case they had their wallet set to auto approve these requests and were just giving people bitcoins out of their hot wallet that they didn't own. Basically they were giving people attempting to fraud them other people's bitcoins.