The way I understand bitcoin is that you can't simply sell coins made by adding them to a db record. Perhaps the MtGox system can artificially generate the appearance of those coins, but the actual validation of the transaction by the network would have failed.
The way I understand Mt. Gox is that they have a giant pool of real btc. They are the "owner" of these btc. So, for instance, if your account says you have 3000 btc, then your 3000 is just an entry in a database, and the only time that actually becomes a bitcoin is when you cash out the coins from Mt. Gox. At that point, they give you the amount of coins that you requested to be withdrawn from their giant btc pool. So, in other words, there aren't actually any specific bitcoins that are assigned to you specifically. You essentially own an IOU for 3000 bitcoins that you can cash out at any time. That's also why they can roll back transactions, because no bitcoins are actually transfered in their system, only database entries that state who owns how many bitcoins. That's why I think someone could update an account's bitcoins balance to any number, and then sell them on the market, because you're not really transferring bitcoins. You're transferring IOUs for bitcoins in a database.
Judging by the amateur security issues they've had lately, I think it's highly unlikely that they have the right controls in place to catch something like that automatically.
I imagine that all BTC available for trade at MtGox are in a MtGox-owned wallet. All trades are just done in their database, and a transaction only hits the bitcoin network when a user wants to withdraw BTC out of the market.
In that case, while adding fake BTC will not let you actually withdraw coins, it would allow one to issue mass sell orders and crash the price for BTC. Then the exploiter could purchase them at their lower valuation.
'Sell' fake coins. Crash the price. Buy 'real' coins. A virtual coin laundering. Fascinating.
