If .well-known had just been invented, that would be true. It's fairly well established at this point, though. For example, if someone can create arbitrary files in .well-known, they are also able to pass http-01 ACME challenges and thus issue TLS certs for your domain (modulo CAA) and MITM you. At this point, allowing users to modify .well-known is about as good an idea as allowing them to receive mail for postmaster@ or accepting incoming packets from 192.168.0.0/16 into your LAN.
Amazon S3 specifically would not be vulnerable because bucket names can’t have dots in them; same for every other service that doesn’t allow those. Neither would services that prefix usernames with ~ or @ or similar, nor services that already use http-01 ACME challenges to get certs thus are already using that path.
I’d be much happier if proving domain control were only done through DNS challenges, but that ship has sailed.
Though MitM that way requires more steps than faking identity this way as you need to somehow get in the middle or redirect traffic towards you.
> I’d be much happier if proving domain control were only done through DNS challenges, but that ship has sailed.
Agreed.