VULNERABILITY DETAILS
To use the navigator.mediaDevices.getUserMedia on a website, that website requires SSL to be enabled. However, a website can also access the getUserMedia while it has no ssl installed. The only thing required to do so is replacing http:// with https:// in the url. You will still get the chrome warning the website is insecure. When you ignore that error and still proceed to the webpage, that website is able to see your webcam.

VERSION
Chrome Version: 64.0.3282.137 stable, 64.0.3282.186 stable
Operating System: Android 7.0.0 Motorola Moto G4 Plus, Windows 10

REPRODUCTION CASE
Extract the attached zip file inside your localhost / server location (like XAMPP htdocs folder). Make sure that that location has no SSL enabled. Then, on another device, visit the ip address or url where you put the index.html. You will see an alert that getUsermedia is not supported (like it should). Now, replace the leading http:// in the url with https:// . Ignore the Google Chrome SSL warning and proceed to the website. It will ask to use your camera, and when granted will also display it.

In my specific test, i did the following:
Extract this zip in my XAMPP htdocs folder. Then find my computer's IP address. Enter that IP address on any other device (tested with Windows 10 and Android). Replace the http:// of the url with https://. Ignore the SSL warning. Accept the use of the camera. Camera is now visible.
 

Deleted: https-getusermedia.zip 34.7 KB

https-getusermedia.zip 34.7 KB Download