There's no flaw and no security threat, only a great deal of speculation by uninformed individuals who haven't taken the time to verify any of their assertions.

The airlines send names to the TSA 72 hours prior to departure. The TSA determines who should not get PreCheck screening under any circumstances: the general public, those on "no-fly" lists, members who list a Trusted Traveler number that doesn't match their full name, etc. These people get a "0". Other people that are potentially approved for PreCheck screening get a "3". This information is stored in the boarding pass barcode, but it's not a secret. Security does not increase or decrease when passengers view the barcode information, including the PreCheck digit. The PreCheck approval digit and other identifying information in the bar code (like passenger name and flight details) are digitally signed by the airline which prevents any possibility of tampering. This signature uses public key encryption to allow the signature to be verified offline, without any connection to a live database maintained by the airline or the TSA.

At the airport when the BP is scanned, the reader makes a decision whether to allow the person into the expedited screening lane:
0 -> Normal screening
3 -> Expedited screening MOST of the time. The barcode reader or any TSA official can require a normal screening for any or no reason, whether there is a 3 there or not. This is the critical "random" element that ensures that getting a "3" on your BP is not a free pass.

The final screening decision is always made at the checkpoint, regardless of what is printed on the BP barcode. There's no hackery going on here (unless you call scanning a cereal box at the grocery store checkout "hacking") and no security threat.