So you can sit on the network, watch for transactions, and echo them with the signatures slightly tweeked, but still valid. These new transactions will have different hashes, and will compete with the original transactions for inclusion in a block. When a cloned transaction beats out the original for block inclusion, it will leave the original in the owners wallet unconfirmable forever, resulting in inconvenience and unspendable coins. Quick echoing and network latency gives this a finite chance of happening.
Of course, you can't create or destroy coins with this, and the money still winds up at the right destination. However, the typical user isn't going to know how to restore an old wallet and rescan the block chain to get his bitcoin client back to working condition.
It might be a good idea to patch this before some enterprising person with excess time on their hands (cough) makes a cloned transaction echobot.
There are several interesting observations that I made based on recent Bitcoin events (I mean recent attacks on Bitcoin exchanges and Silk Road 2). First of all, I did not know until yesterday that there is Silk Road 2! Very little time has passed since the disappearance of Silk Road 1. That was fast! Second, now I can create a new category called "Bitcoin Breaches" so the existing Card Data Breaches section can relax a bit (it's overloaded and worked too hard since December last year) . And finally, it turns out that the bug, which caused all recent Bitcoin breaches, is not new, and the attack vector was described almost 3 years ago! The following post is dated May 15, 2011.
You can also find a decent explanation, which (hopefully) does not require a deep technical understanding of the Bitcoin implementation, of transaction malleability (that's how this bug was eventually named - beautiful name!) here.