Already one security flaw has been reported in a blog http://blog.mayankkapoor.com/2008/06/security-hole-on-irctc-train-ticket.html
For my part, I found one. IRCTC has a good validation at client side, but poor validation at server side. So I tricked IRCTC and changed some values after form submission, the system failed to validate properly. I changed berth preference to ‘dummy berth;it accepted. Worse, I tried to book a ticket with Rs.3/-, the system accepted and redirected me to SBI for money transfer. When I transfered Rs.13/-(with commission), irctc failed with communcation error(Thank God!). I thought somehow the system failed to deliver ticket for a fake amount. The next day I got a automated mail from IRCTC that the ticket has been cancelled and a refund for Rs.262(????!!!) will be credited to my account within ‘n’ working days. I shocked with the mail and have reported IRCTC to fix the bug soon
Update: IRCTC fixed this issue
SenG's personal blog 